AUTHENTICATED , 
US. GOVERNMENT 
INFORMATION ^ 


FEDERAL INFORMATION TECHNOLOGY INVEST- 
MENT MANAGEMENT, STRATEGIC PLANNING, 
AND PERFORMANCE MEASUREMENT: $60 
BILLION REASONS WHY 


HEARING 


BEFORE THE 

SUBCOMMITTEE ON TECHNOLOGY, INPORIilATION 
POLICY, INTERGOAH]RNMENTAL RELATIONS AND 

THE CENSUS 

OF THE 

COMMITTEE ON 
GOA^RNMENT REFORM 

HOUSE OF REPRESENTATRH]S 

ONE HUNDRED EIGHTH CONGRESS 

SECOND SESSION 

MARCH 3, 2004 


Serial No. 108-164 


Printed for the use of the Committee on Government Reform 



Available via the World Wide Web: http://www.gpo.gov/congress/house 
http://www.house.gov/reform 


U.S. GOVERNMENT PRINTING OFFICE 
94-773 PDF WASHINGTON : 2004 


For sale by the Superintendent of Documents, U.S. Government Printing Office 
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 


COMMITTEE ON GOVERNMENT REFORM 


TOM DAVIS, Virginia, Chairman 

DAN BURTON, Indiana 


CHRISTOPHER SHAYS, Connecticut 
ILEANA ROS-LEHTINEN, Florida 
JOHN M. McHUGH, New York 
JOHN L. MICA, Florida 
MARK E. SOUDER, Indiana 
STEVEN C. LaTOURETTE, Ohio 
DOUG OSE, California 
RON LEWIS, Kentucky 
JO ANN DAVIS, Virginia 
TODD RUSSELL PLATTS, Pennsylvania 
CHRIS CANNON, Utah 
ADAM H. PUTNAM, Florida 
EDWARD L. SCHROCK, Virginia 
JOHN J. DUNCAN, jR., Tennessee 
NATHAN DEAL, Georgia 
CANDICE S. MILLER, Michigan 
TIM MURPHY, Pennsylvania 
MICHAEL R. TURNER, Ohio 
JOHN R. CARTER, Texas 
MARSHA BLACKBURN, Tennessee 


HENRY A. WAXMAN, California 
TOM LANTOS, California 
MAJOR R. OWENS, New York 
EDOLPHUS TOWNS, New York 
PAUL E. KANJORSKI, Pennsylvania 
CAROLYN B. MALONEY, New York 
ELIJAH E. CUMMINGS, Maryland 
DENNIS J. KUCINICH, Ohio 
DANNY K. DAVIS, Illinois 
JOHN F. TIERNEY, Massachusetts 
WM. LACY CLAY, Missouri 
DIANE E. WATSON, California 
STEPHEN F. LYNCH, Massachusetts 
CHRIS VAN HOLLEN, Maryland 
LINDA T. SANCHEZ, California 
C.A. “DUTCH” RUPPERSBERGER, Maryland 
ELEANOR HOLMES NORTON, District of 
Columbia 

JIM COOPER, Tennessee 


BERNARD SANDERS, Vermont 
(Independent) 


Melissa Wojclak, Staff Director 
David Marin, Deputy Staff Direetor ! Communications Director 
Rob Borden, Parliamentarian 
Teresa Austin, Chief Clerk 
Phil Barnett, Minority Chief of Staff! Chief Counsel 

Subcommittee on Technology, Information Policy, Intergovernmental 
Relations and the Census 

ADAM H. PUTNAM, Florida, Chairman 
CANDICE S. MILLER, Michigan WM. LACY CLAY, Missouri 

DOUG OSE, California DIANE E. WATSON, California 

TIM MURPHY, Pennsylvania STEPHEN F. LYNCH, Massachusetts 

MICHAEL R. TURNER, Ohio 

Ex Officio 

TOM DAVIS, Virginia HENRY A. WAXMAN, California 

Bob Dix, Staff Director 
Chip Walker, Professional Staff Member 
Juliana French, Clerk 

Adam Bordes, Minority Professional Staff Member 


(H) 



CONTENTS 


Page 

Hearing held on March 3, 2004 1 

Statement of: 

Johnson, Clay, III, Deputy Director for Management, Office of Manage- 
ment and Budget; Karen Evans, Administrator, Office of Electronic 
Government and Information Technology, 0MB; and David A. Powner, 
Director, Information Technology Management Issues, U.S. General 

Accounting Office 7 

Letters, statements, etc., submitted for the record by: 

Evans, Karen, Administrator, Office of Electronic Government and Infor- 
mation Technology, 0MB, prepared statement of 13 

Johnson, Clay, III, Deputy Director for Management, Office of Manage- 
ment and Budget, prepared statement of 9 

Powner, David A., Director, Information Technology Management Issues, 

U.S. General Accounting Office, prepared statement of 21 

Putnam, Hon. Adam H., a Representative in Congress from the State 
of Florida, prepared statement of 4 


(III) 




FEDERAL INFORMATION TECHNOLOGY IN- 
VESTMENT MANAGEMENT, STRATEGIC 
PLANNING, AND PERFORMANCE MEASURE- 
MENT: $60 BILLION REASONS WHY 


WEDNESDAY, MARCH 3, 2004 

House of Representatives, 

Subcommittee on Technology, Information Policy, 
Intergovernmental Relations and the Census, 

Committee on Government Reform, 

Washington, DC. 

The subcommittee met, pursuant to notice, at 1 p.m., in room 
2154 House Office Building, Hon. Adam H. Putnam (chairman of 
the subcommittee) presiding. 

Members present: Representatives Putnam and Clay. 

Staff present: Bob Dix, staff director; John Hambel, senior coun- 
sel; Chip Walker, professional staff member; Juliana French, clerk; 
Suzanne Lightman, fellow; Adam Bordes and David McMillen, mi- 
nority professional staff members; and Jean Gosa, minority assist- 
ant clerk. 

Mr. Putnam. A quorum being present, this hearing of the Sub- 
committee on Technology, Information Policy, Intergovernmental 
Relations and the Census will come to order. I want to thank ev- 
eryone for being here and welcome you to the subcommittee’s kick- 
off hearing for 2004. 

Today’s hearing is appropriately entitled, “Federal Information 
Technology, Investment Management, Strategic Planning and Per- 
formance Measurement: $60 Billion Reasons Why.” Today’s over- 
sight hearing sets the foundation for the range of oversight hear- 
ings we have planned for the remainder of the year in the areas 
of electronic governance, enterprise architecture, interoperability, 
information sharing and, perhaps most importantly, cybersecurity. 

Last year, this subcommittee held 22 hearings to review the 
progress being made by the Federal Government in these specific 
IT areas. While the subcommittee individually examined each sub- 
ject matter in detail at those hearings, it became clear as each 
hearing passed that addressing any particular IT challenge is not 
only related to other competing IT challenges, but also must be re- 
solved simultaneously and in an integrated way with all others. 

This is without doubt a difficult challenge that requires the ulti- 
mate combination of managing our IT investments effectively, plan- 
ning strategically, and measuring performance appropriately. 

The purpose of this afternoon’s hearing is to provide the sub- 
committee with a clearer understanding of the policies, processes 

( 1 ) 



2 


and procedures that now determine the Federal Government’s an- 
nual investment in IT. 

Four weeks ago, the President sent his fiscal year 2005 budget 
to Congress, a budget requesting $60 billion in spending for IT 
products and services. Underlying this request are a series of acts 
that have established principles for sound IT management within 
the Federal Government. 

For many years, the Federal Government pursued an IT agenda 
that did not necessarily emanate from customer service or sound 
business practices. “Stovepiped” solutions, proprietary systems and 
a lack of interoperability or even plans to interface with other sys- 
tems were considered ordinary and acceptable conditions. 

A list of congressional legislation, initiatives and guidance since 
1996, including Clinger-Cohen Act, the E-Gov Act and FISMA have 
led to changes that provide 0MB with the oversight flexibility 
needed to coordinate, manage, plan and measure results emanating 
from its IT investments made across the Federal Government. 

Put another way, 0MB was given the responsibility and author- 
ity to function as the check and balance on a Federal Government 
IT culture that long accepted agency claims that their system abso- 
lutely required a unique solution, unique software, unique hard- 
ware, unique staff, unique business processes and could never 
interface with other systems. 

Additionally, past agency claims that IT performance and agency 
performance are two separate issues have taken a different course 
due to Clinger-Cohen and the E-Gov Act. 

To what extent IT management and agency performance are ap- 
propriately tied is an important question that deserves this sub- 
committee’s attention. 0MB has taken a number of steps through 
budget guidance, memoranda and circulars to ensure agencies 
unify behind effective IT planning, cross-agency solutions and 
elimination of redundancies. 

Perhaps the most visible initiative, matching agency performance 
measurements with overall IT investment, is embodied in the 
President’s management agenda. I’m particularly pleased that Clay 
Johnson, the President’s Deputy Director for Management at 0MB, 
will be testifying today to discuss progress being made in this area. 
We’re also delighted to have with us Karen Evans, Administrator 
of E-Government and Information Technology, 0MB. In addition to 
connecting agency performance to IT spending, I look forward to 
this afternoon’s dialog with Ms. Evans regarding the results of en- 
hanced 0MB budget guidance to agencies in preparing their 2005 
request, the results of utilizing a Federal enterprise architecture 
and planning, the results of OMB’s review of agency IT business 
cases, the results of utilizing E-Government and the results of pur- 
suing consolidation of duplicative systems. 

As I mentioned earlier, cybersecurity is one of the primary fac- 
tors that must be woven into any IT spending plan. As such, the 
subcommittee will review the steps taken this year by 0MB in pre- 
paring its 2005 budget submission to further enhance the security 
of Eederal information networks and protect the information they 
contain in accordance with FISMA. 

The General Accounting Office as also joined us to share their re- 
cent findings and recommendations on improving the linkages be- 



3 


tween IT’s strategic planning, performance measures and invest- 
ment management as required by Clinger-Cohen. 

While individual congressional appropriations subcommittees 
and some authorizing committees have kept an eye on projects and 
programs within their purview, very few congressional hearings 
have taken place to examine the cross cutting horizontal picture of 
investing $60 billion on IT more wisely by coordinating and collabo- 
rating across traditional agency boundaries. 

From the congressional perspective, we have passed our share of 
laws requiring 0MB to coordinate IT expenditures. In addition to 
making sure the Federal Government is on course, this hearing 
provides Congress an opportunity to improve our own IT spending 
decisions. We need to be authorizing and appropriating our tax- 
payer dollars on IT based on the same cross agency collaborative 
methodology that we require of 0MB and agencies in their budget 
submissions. 

While I recognize every Member of Congress comes to Washing- 
ton with a different set of priorities, I encourage my colleagues to 
join me this afternoon to reflect on IT investment in a comprehen- 
sive and cross-cutting manner instead of by program or by func- 
tion, just as we ask this afternoon’s witnesses to do every day. 

At the appropriate time we will yield to the gentleman from Mis- 
souri, the ranking member, Mr. Clay, for his opening remarks and 
any other Members who choose to join us this afternoon. 

With that we will move directly into the testimony as is the cus- 
tom for the Subcommittee of Government Reform, I would ask the 
witnesses to please rise and raise your right hand to be sworn. 

[The prepared statement of Hon. Adam H. Putnam follows:] 



4 



ONE HUNOfSD EIGHTH CO^ESS 

ConareSS of tfie Mniteb States; 

IJaustE d{ Slepre^Entatibcs; 

COMMITTEE ON GOVERNMENT REFORM 
2157 Rayburn Hou^ Office Building 
Washingtcn, DC 20515-6143 

»w»BTv 

Fa^aKKC (2U;2?S-3S74 
ii»iO>iry <20»S«S-«OS1 
TTV (»KSZ25-gBSZ 

www.hntse.^iv^refbrm 



Subcommittee on Technology, Information Policy, 
Intergovernmental Rei,ations and the Census 
Congressman Adam Putnam, Chairman 



OVERSIGHT HEARING 

STATEMENT BY ADAM PUTNAM, CHAIRMAN 

Hearing topic: “"Federal Information Technology Investment Management, 
Strategic Planning, and Performance Measurement: 60 Billion Reasons Why. ” 

Monday, March 3, 2003 
1:00 p.ni. 

Room 2154 Rayburn House Office Building 


OPENING STATEMENT 


Good morning and welcome to the Subcommittee’s kickoff hearing for 2004. 
Today’vS hearing is appropriately titled, “Federal Information Technology Investment 
Management, Strategic Planning, and Performance Measurement: 60 Billion Reasons 
Why. " 

Today’s oversight hearing sets the foundation for the range of oversight hearings 
we have planned for remainder of the year in the areas of electronic governance, 
enterprise architecture, interoperability, information sharing, and - perhaps most 
importantly - cybersecurity. 



5 


Last year, this subcommittee heJd 22 hearings to review the progress being made 
by the federal government in these specific IT areas. While the Subcommittee 
individually examined each subject matter in detail at those hearings, it became crystal 
clear as each hearing passed that addressing any particular IT challenge is not only 
related to other competing IT challenges, but also must be resolved simultaneously and in 
a fully integrated manner with all other FT challenges. 

This is, without doubt, a difficult challenge that requires the ultimate combination 
of managing our IT investments effectively, planning strategically, and measuring 
performance appropriately. 

The purpose of this afternoon’s hearing is to provide the Subcommittee with a 
clearer understanding of the policies, processes and procedures that now determine the 
federal government’s annual investment in information technology (IT). 

Four weeks ago, the President sent his FY05 budget to Congress, a budget that 
requests nearly $60 billion in spending for IT products and services. Underlying this 
request is a series of Acts that have established principles for sound IT management 
within the federal government. 

For many years, the federal government pursued an IT agenda that did not 
necessarily emanate from customer service or sound business practices. “Stovepiped” 
solutions, proprietary systems, and a lack of interoperability (or even plans to interface) 
with other systems were considered ordinary and acceptable conditions. 

A list of Congressional legislation, initiatives, and guidance since 1996, including 
the Clinger-Cohen Act, the E-Govemment Act, and the Federal Information Security 
Management Act (known as FiSMA) have led to changes that provide 0MB with the 
oversight flexibility needed to coordinate, manage, plan, and measure results emanating 
from IT investments made across the federal government. 

Put another way, 0MB was given the responsibility and authority to function as 
the necessary check-and-balance on a federal government IT culture that long accepted 
agency claims that “their” particular system absolutely required a unique IT solution, 
unique software, unique hardware, unique staff, unique business processes, and could 
never interface with other systems. 

Additionally, past agency claims that IT performance and agency performance are 
two separate issues have taken a different course due to “Clinger-Cohen” and the “E-Gov 
Act”. To what extent IT management and agency performance is appropriately tied is an 
important question that deserves this Subcommittee’s attention. 

0MB has taken a number of steps through regulation, budget guidance, 
memoranda, and circulars to ensure agencies unify behind effective IT planning, cross- 
agency solutions, and elimination of redundancies. Perhaps the most visible initiative 
matching agency performance measurements with overall FI’ investment is embodied in 
the President Management Agenda. 



6 


I look forward to this afternoon’s dialogue with OMB regarding the results of 
enhanced OMB budget guidance to agencies in prq)aring the FY05 IT budget, the results 
of utilizing a Federal Enterprise Architechire in planning, the results of OMB’s review of 
agency IT business cases, the results of utOizing E-Govemment, and the results of 
pursuing consolidation of duplicative systems. Also, GAO will share their recent 
findings and recommendations on improving Uie linkages between IT strategic planning, 
performance measurements and inv^tment management as required by the Clinger- 
Cohen Act of 1996. 

While individual Congressional appropriations subcommittees (and perhaps some 
authorizing committees) have kept an eye on projects and programs within their purview, 
very few Congressional hearings have taken place to examine the cross-cutting, 
horizontal picture of investing $60 billion on FT more wisely by coordinating and 
collaborating across traditional federal government agency boundary lines. 

From the Congressional perspective, we have certainly passed our share of laws 
requiring OMB to coordinate IT expenditures across agency boundary lines. 

In addition to making sure the federal government is on course, this hearing 
provides Congress with a unique opportunity to improve our own IT spending decisions. 
We clearly need to be authorizing and appropriating our taxpayer dollars on FT based on 
the same cross-agency collaborative methodology that we require of OMB and agencies 
in their budget submissions. 

While I recognize every member of Congress comes to Washington with a 
different set of priorities, I encourage my colleagues will join me this afternoon to reflect 
on IT investment in a comprehensive and cross-cutting manner instead of by program or 
function. 


##### 



7 


[Witnesses sworn.] 

Mr. Putnam. I note for the record that all three witnesses re- 
sponded in the affirmative. And we will begin with Mr. Johnson. 
Clay Johnson is the Deputy Director for Management at the Office 
of Management and Budget responsible for providing government- 
wide leadership to executive branch agencies to improve agency 
and program performance. He was previously Assistant to the 
President for Presidential Personnel, responsible for the organiza- 
tion that identifies and recruits approximately 4,000 senior offi- 
cials, middle management personnel and part-time Board and 
Commission Members. From 1995 to 2000, Mr. Johnson had the 
pleasure of working with Governor George W. Bush in Austin, first 
as his appointments director, then his chief of staff and finally as 
the executive director of the Bush-Cheney Transition. 

Mr. Johnson, you clearly have the ear of the President. We are 
honored to have you with us this afternoon. We appreciate the 
work that you have performed for the Federal Government and if 
you will pause for just 1 second. Let me check on the status of 
votes. 

[Pause.] 

Mr. Putnam. Very good. We are expecting votes somewhere be- 
tween 1:30 and 2:15 so hopefully we can certainly get through the 
opening remarks before we have to interrupt you and I apologize 
for that. That’s unfortunately the way we run the railroad around 
here. 

Welcome to the subcommittee and thank you for being here. 

STATEMENTS OF CLAY JOHNSON III, DEPUTY DIRECTOR FOR 

MANAGEMENT, OFFICE OF MANAGEMENT AND BUDGET; 

KAREN EVANS, ADMINISTRATOR, OFFICE OF ELECTRONIC 

GOVERNMENT AND INFORMATION TECHNOLOGY, OMB; AND 

DAVID A. POWNER, DIRECTOR, INFORMATION TECHNOLOGY 

MANAGEMENT ISSUES, U.S. GENERAL ACCOUNTING OFFICE 

Mr. Johnson. Mr. Chairman, thank you. Thank you for having 
Karen and me here. I believe, the President believes that the Fed- 
eral Government is in the process of becoming results-oriented. If 
you asked 10 or a 100 people to raise their hand if they think the 
Federal Government is results-oriented, not many of them would 
do that. I think all of us, agencies, executive branch, legislative 
branch are in the process of changing that. 

Traditionally, the Federal Government is focused on the amount 
of money we spend on a problem or opportunity as a measure of 
our commitment to dealing with that problem or opportunity. It’s 
harder, but more relevant to focus on what we actually get for the 
money we spend and if that’s not satisfactory, if what we’re getting 
is not satisfactory, figuring out what we do about it. 

This is the approach we’re taking with our IT investments, and 
early as you said, $60 billion in IT investments. We are not perfect. 
We continue to improve each year. One of the reasons I believe 
that we are going to see significant continued improvement, if not 
accelerated improvement this next year in the IT management, in- 
vestment management area is because Karen Evans has come over, 
we’ve enticed her away from the Department of Energy to head up 
this office. She’s a 20 plus year employee of the Federal Govern- 



8 


ment and knows what goes on in agencies and knows the way it 
used to be and has a good taste for the way it can be and has tre- 
mendous credibility within the IT community and the Federal Gov- 
ernment. And so I can’t imagine a better person to head up our ef- 
forts at this time to continue to lead this effort in the direction that 
we all want it to go in. So you’re going to hear me today refer a 
whole lot of questions and comments to Karen, but I know that’s 
what you expected when you invited me to come up here, but I’m 
glad to be up here. 

[The prepared statement of Mr. Johnson follows:] 



9 


Statement of the Honorable Clay Johnson III 
Deputy Director for Management 
Office of Management and Budget 

before the 

Subcommittee on Technology, Information Policy, Intergovernmental 
Relations and the Census 
of the 

Committee on Government Reform 
U.S. House of Representatives 

March 3, 2004 

Thank you Mr. Chairman and Members of the Subcommittee for inviting me to 
testify this morning. I am proud of our accomplishments on the President’s 
Management Agenda, particularly in the area of information technology 
management, which we are here to discuss today. I am joined by Karen Evans, the 
President’s Administrator of the Office of E-Gov and Information Technology at 
0MB. Karen and I work together to improve how the government manages IT. 

The federal government is becoming results-oriented. 

We are asking whether federal programs produce the intended results, and if they 
don’t, we’re working with Congress to decide what to do about it. We are asking 
what it costs to produce those intended results, and if the costs are trending up or 
considered unacceptable, we’re looking for ways to become more efficient. We 
are asking whether we’re effectively managing and investing in our workforce, and 
if not, we’re working with Congress to decide what to do about it. We are asking 
whether we are professionally managing and utilizing our vast investments in real 
property, and if we decide we are not, we will work with Congress to do something 
about it. 

Traditionally, we have focused on the amount of money we spend on a problem or 
an opportunity as a measure of our commitment to dealing with it. For instance, 
we have said we care a lot about teaching needed skills to low-income adults and 
point to our spending more than $500 million on the matter as an indication of how 
committed we are to the issue. The better and more relevant measures of our 
attention to teaching needed skills to low-income adults, though, are how many 
low-skilled adults we’re teaching to read, how many go on to earn their high 



10 


school diplomas, how many learn English, or how many get better job skills. It’s 
harder to do this, to determine what we’re really accomplishing and at what cost, 
but that’s what we’re doing. For instance, we concluded that most of the students 
being served by the Adult Education State Grants program, the primary program 
focused on teaching needed skills to low-inCome adults, were not getting 
measurable benefits from the program. So we proposed legislation to allow us to 
target grants to educational approaches that have proven effective in increasing 
reading and math skills and making grants contingent on achieving real and 
measurable outcomes, like teaching people the skills they need to succeed. 

We are looking at our tremendous investments in information technology in the 
same fashion. We spend almost $60 billion in information technology each year, 
more than anybody else in the world. With increasing effectiveness we are asking 
whether those expenditures are producing or are likely to produce the desired 
result, and if they aren’t, we are doing something about it. 

We have agencies develop a business case for each IT investment, to identify the 
benefit to the agency and/or the citizens that justifies the investment. If the 
investment is not justified, we do not recommend it be funded. 

We have agencies commit qualified project management resources to each IT 
project to ensure execution is timely and on budget, and if those resources are not 
available, we work with the agency to identify and reallocate the resources needed 
to make certain that the management deficiency has been addressed. 

We have agencies commit funds and resources to securing each IT system, and 
until that happens, we limit new starts and other developmental activities until the 
security deficiency has been addressed. 

We have agencies work together on government-wide E-gov initiatives to focus on 
citizen needs ... .to inquire about benefits, to apply for a job, to inquire about and/or 
apply for a grant, to reserve a campsite, and the like. We are working with 
agencies to limit "unique" solutions to "common" needs. 

Results. We are managing our IT expenditures to produce the results that will 
more than justify the taxpayers’ money we are spending. 

### 



11 


Mr. Putnam. At this time we’ll recognize Ms. Evans. On Septem- 
ber 3, 2003, Karen Evans was appointed by President Bush to be 
the Administrator of the Office of Electronic Government and Infor- 
mation Technology at the Office of Management and Budget. Prior 
to joining 0MB, Ms. Evans was Chief Information Officer at the 
Department of Energy and served as vice chairman of the CIO 
Council, the principal forum for agency CIOs to develop IT rec- 
ommendations. Previously, she served at the Department of Justice 
as Assistant and Division Director for Information System Manage- 
ment. The last time Ms. Evans testified before our subcommittee, 
we were kind enough to provide her with 48 hours on the job before 
calling her to testify. Now that she’s an 0MB veteran with 5 
months under her belt, we welcome her and look forward to hear- 
ing of the progress being made to improve the management of our 
IT spending. 

Welcome, Ms. Evans, and you’re recognized for your opening re- 
marks. Thank you for coming before the subcommittee. 

Ms. Evans. Mr. Chairman and members of the subcommittee, 
thank you for inviting me here today. My remarks will focus on the 
administration’s strategy and progress in planning, managing and 
measuring the results of the Government’s technology investments 
on the successful results of the President’s E-Government Initia- 
tives and on the impact of the Federal Enterprise Architecture 
[EE A]. 

The President’s 2005 budget includes nearly $60 billion for IT 
and reflects this administration’s commitment to defense and 
homeland security. This budget also shows our continuing work in 
exercising fiscal responsibility without sacrificing results. We are 
reaffirming the administration’s commitment to results-oriented 
management by reducing duplication in IT spending while improv- 
ing service delivery for the citizen. Of the nearly 1,200 major 
projects included in this year’s budget, 621 representing about $22 
billion are on a “management watch list.” These include mission- 
critical projects that need to improve performance measures, 
project management and/or IT security. The fiscal year 2005 budget 
requires agencies to successfully correct identified project weak- 
nesses and business case deficiencies or 0MB will limit spending 
on new starts and other developmental activities. 

Ensuring the security of the Federal Government’s information 
and systems is a critical element of effective and responsible IT 
management. The Federal Information Security Management Act 
[FISMA], requires agencies and Inspector Generals to review and 
evaluate agency IT security programs and systems each year and 
to report their results to 0MB and the Congress. Both FISMA and 
the longstanding 0MB policy direct agencies to fund IT security 
throughout the life cycle of every system and to develop remedi- 
ation plans for all systems with IT security weaknesses. 

0MB used the information from the annual FISMA reports and 
quarterly remediation updates to directly influence the fiscal year 
2005 budget process as well as to prioritize fiscal year 2004 ex- 
penditures. Agencies with significant weaknesses in information 
and systems security were directed to remediate operational sys- 
tems prior to spending fiscal year 2004 development or moderniza- 
tion funds. If additional resources are needed to resolve those 



12 


weaknesses, agencies are to use their 2004 development funds. 
These steps underscore the President’s commitment to security and 
privacy. 

The fiscal year 2005 E-Government priorities and IT resource 
levels reflect activities in which we are presently engaged with the 
agencies. For example, agencies must now review all commercial 
software acquisitions for possible inclusion into the SmartBuy pro- 
gram which is designated to leverage government purchasing 
power and reduce redundant purchases. Further, the appropriate 
agen(w acquisition official must review all planned IT acquisitions 
over million to ensure the acquisition does not duplicate any E- 
Government initiative. Agencies may only complete an acquisition 
found to be duplicative with my prior approval. 

In addition to using the “find and apply” solutions of the 
Grants.gov initiative, fiscal year 2004 new planning and develop- 
ment dollars are being redirected to develop an action plan, solu- 
tion and architecture for an agency’s grants management system 
that will integrate to a governmentwide solution by September 1, 
2004. 

Finally, agencies have been asked to redirect all planning and ac- 
quisition dollars for core financial systems in fiscal year 2004 to- 
ward developing standards and architecture for a governmentwide 
solution. 

We first used the Federal Enterprise Architecture in formulating 
the fiscal year 2004 budget. Using the business reference model, we 
identified six major service areas with over $6.8 billion of IT invest- 
ment funding that seemed to offer potential for the government- 
wide collaboration, consolidation and savings. 

The Department of Health and Human Services is leading efforts 
to identify specific health-related work areas where technologies 
can be leveraged leading to real cost savings. All of the major Fed- 
eral investigative agencies, led by the Department of Justice, are 
working to identify opportunities to use shared technology tools to 
support their case management needs and in the area of financial 
management, the Departments of Energy and Labor are leading a 
cross-agency taskforce to achieve seamless data interchange among 
partner agencies, reduce acquisition expenditures and plan for a 
common architecture that includes standardized data structures, 
business processes across government for core financial systems. 

For the fiscal year 2005 budget, we identified further areas with- 
in the Federal Government that have potential for substantial col- 
laboration and consolidation and where the agencies are using the 
same technology components. As a result, we can target many of 
those technologies for government- wide, enterprise licensing 
through the SmartBuy program. 

The administration will continue to work collaboratively across 
the agencies and with Congress and I look forward to working with 
you on these matters and would be happy to take questions. 

[The prepared statement of Ms. Evans follows:] 



13 


STATEMENT OF 

THE HONORABLE KAREN EVANS 
ADMINISTRATOR FOR ELECTRONIC GOVERNMENT AND 
INFORMATION TECHNOLOGY 
OFFICE OF MANAGEMENT AND BUDGET 
BEFORE THE 

SUBCOMMITTEE ON TECHNOLOGY, INFORMATION POLICY, 
INTERGOVERNMENTAL RELATIONS AND THE CENSUS 
U.S. HOUSE OF REPRESENTATIVES 
March 3, 2004 

Mr. Chairmen and Members of the Subcommittee: 

Thank you for inviting me here today to talk to you about the federal information technology 
(IT) portfolio. My remarks will focus on the Administration’s strategy and progress to date 
in planning, managing, and measuring the results of the government’s technology 
investments. In particular, I would like to provide the Committee an update on the successful 
results of the President’s E-Government initiatives and the impact of the Federal Enterprise 
Architecture. 

IT Portfolio 

As you know, the President’s 2005 Budget request includes nearly $60 billion dollars for IT, 
and reflects this Administration’s commitment to Defense and Homeland Security. Of the 



14 


nearly $60 billion dollars requested this year, roughly $27 billion is directed to the 
Department of Defense, while more than $10 billion directly supports Homeland Security. 
For example, the Department of Homeland Security's IT budget increased in key priority 
areas such as an additional $69 million to support border enforcement activities and an 
increase of $96 million to support Transportation Security Administration (TSA) equipment. 

This budget also shows our continuing work in exercising fiscal responsibility without 
sacrificing results. We are reaffirming the Administration’s commitment to results-oriented 
management by reducing duplication in IT spending while providing the opportunity to share 
in common solutions for agency IT needs, while improving service delivery for the citizen. 
Efforts by agencies to hold down the cost of IT services and at the same time improve citizen 
satisfaction have generated some innovative solutions. Our continued emphasis on 
eliminating redundant IT investments drove agencies to examine IT spending and develop 
consolidated plans for technology acquisition and maintenance. For example, USDA 
conducted an extensive effort to identify opportunities to reduce redundancy and duplication 
within its IT portfolio. These efforts led to the department's consolidation of its portfolio and 
a $162 million savings from the FY2004 to FY2005 budget. 

Of the nearly 1,200 major projects included in this year’s budget, 621 representing roughly 
$22 billion are currently on a "management watch list.” This list includes mission-critical 
projects in need of improvement in areas such as performance measures, project management 
and/or IT security. The FY2005 budget reflects the requirement that agencies successfully 
correct identified project weaknesses and business case deficiencies or 0MB will limit new 



15 


starts and other developmental activities; the agencies must make real progress addressing 
and correcting these weaknesses. 

Other specific challenges to better serve the citizen through E-Govemment include an 
ongoing shortfall in qualified project managers and IT architects needed to successfully 
manage the federal IT portfolio. 

This challenge is being addressed through direction to agencies to have a program 
management plan and a qualified project manager for projects to be approved for spending in 
2004 and thereafter. 

Status of Federal Systems 

Ensuring the security of the federal government's information and systems is a critical 
element of effective and responsible IT management. As you know, the Federal Information 
Security Management Act (FISMA) requires agencies and Inspector Generals (IGs) to 
annually review and evaluate agency IT security programs and systems and to report on their 
results to 0MB and the Congress. Additionally, both FISMA and long-standing 0MB policy 
direct agencies to fund IT security throughout the life cycle of every system and develop 
remediation plans for all systems with IT security weaknesses. 

0MB used the information from the annual FISMA reports and quarterly remediation 
updates to directly influence the FY 2005 budget process. Specifically: 



16 


1 . Information from agency and IG reports along with their remediation plans identified 
both agency-wide and system specific IT security weaknesses. The annual reviews and 
reports identified the gaps and the remediation plans provided the corrective actions the 
agency has determined are necessary to close the gaps. 

2. Infoimation from OMB IT budget submission documents, including the exhibit 53 and 
300, also identifies whether appropriate steps to secure both new and legacy IT systems 
have been undertaken. For example, agencies must report whether risk-based and cost- 
effective IT security controls have been identified, implemented, and tested, and their 
operational systems have been fully certified and accredited. 

While this information assisted OMB in making FY 2005 funding decisions, thereby 
addressing longer-term IT security weaknesses, it was also useful in prioritizing FY 2004 
expenditures. For example, agencies with significant weaknesses in information and system 
security were directed to remediate operational systems with weaknesses prior to spending 
FY 2004 development or modernization funds. If additional resources are needed to resolve 
those weaknesses, agencies are to use their FY 2004 development funds. These steps were 
taken to reinforce both law and policy requirements; they underscore the President's 
commitment to security and privacy. 

Effects of E-Govemment Initiative s 

FY 2005 E-Govemment priorities and IT resource levels reflect activities with which we are 
presently engaged with the agencies. For example, this year agencies must review all 
commercial software acquisitions for appropriateness for inclusion into the SmartBuy 



17 


program. This program wili leverage government purchasing power and reduce redundant 
purchases. If an agency intends to complete an acquisition found to be duplicative, my prior 
approval is required. 

Another example is our work in the enterprise human resources initiative (EHRI). Agencies 
have been directed to work with OPM to develop a migration plan to the EHRI initiative 
which provides workforce analysis tools. Agencies must cease further development of 
agency-specific workforce analysis tools and capabilities. Agencies are identifying FY2004 
resources for development and maintenance of workforce analysis tools, re-directing 
redundant spending to support migrations to the common EHRI tools. Accordingly, no 
resources for new agency workforce analysis tools are included in the FY2005 Budget. 

In Phase 2 of Grants.gov, agencies must use the "find and apply" solutions of this initiative. 

In addition, agencies must designate funds for migrating grants management systems and/or 
applications to the common solution developed by Grants.gov. This also includes interfacing 
back office grants management systems to the government-wide effort. All FY 2004 new 
planning and development dollars will be redirected to develop an action plan, solution, and 
architecture for an agency's grants management system that integrates to the government- 
wide solution by September 1, 2004. 

Finally, this year agencies must share all appropriate data with 0MB about their core 
financial system applications on a government-wide basis. They have also been asked to 
redirect all planning and acquisition dollars for core financial systems planning and 



18 


In preparing for FY2006 we will continue to require agencies to align their efforts with the 
FEA. We will also provide them with a web-based tool giving them access to government- 
wide data that is organized around the FEA. With this tool, each agency can identify other 
agencies engaged in developments that are similar or identical to its. Through this tool they 
can identify potential collaboration partners as well as specific technology components they 
may be able to use, rather than develop their own. We anticipate substantial savings to the 
government as these capabilities begin to take hold. 

Conclusion 

The Administration will continue to work collaboratively across agencies and with Congress. 
I look forward to working with you on these matters, and would be happy to take questions at 
this time. 



19 


Mr. Putnam. Thank you very much, Ms. Evans. Our next wit- 
ness is David Powner. As Director of GAO’s Information Tech- 
nology Management Issues, David Powner is responsible for GAO’s 
review of Federal IT systems development and IT investment man- 
agement. Prior to his current position at GAO, he spent a number 
of years with Quest Communication where he directed their infor- 
mation technology and financial audits, as well as overseeing DSL 
software development efforts. His previous work at the GAO in- 
cludes reviews of its software development, information security 
and enterprise architecture progress at the Air Force, FAA and Na- 
tional Weather Service. 

On February 12th, Mr. Powner and his colleagues at GAO re- 
leased a report that I requested, along with Chairman Davis and 
Senate Chairman Collins, entitled, “Information Technology Man- 
agement, Government-wide Strategic Planning, Performance Meas- 
urement and Investment Management Can Be Further Improved.” 

We look forward to your recommendations and your comments on 
GAO’s findings and the conclusions that were in that report. You’re 
recognized for your opening statement. 

Mr. Powner. Chairman Putnam, we appreciate the opportunity 
to testify on Federal IT strategic planning, performance measure- 
ment and investment management. With $60 billion spent annu- 
ally on Federal information technology, having sound strategic 
plans, associated performance measures and the processes to en- 
sure the appropriate selection and oversight of these investments 
is essential. Our most recent review that you just mentioned, Mr. 
Chairman, showed considerable room for improvement in these IT 
management areas. 

As Ms. Evans just mentioned, our findings are consistent with 
the administration’s management watch list which contains over 
600 mission-critical projects totaling $22 billion that are in need of 
improvements in the areas of performance measures, project man- 
agement and/or IT security. 

Today’s request I will summarize our recently issued report on 
the extent to which Federal agencies have in place important IT 
management practices. These practices are called for in legislation, 
0MB policies and GAO guidance. I will also discuss how agencies 
can improve in these areas. 

Our report clearly showed mixed results. Collectively, the 26 
agencies we reviewed had less than 50 percent of the practices fully 
in place. Starting with strategic planning and performance meas- 
urement, agencies generally had IT strategic plans and goals, but 
these goals were not always linked to specific performance meas- 
ures. 

Moreover, few agencies monitor performance for all of their IT 
goals. Without enterprise-wise performance measures that are 
tracked against actual results, agencies lack information about 
whether their overall IT activities at a governmentwide cost of $60 
billion annually are achieving expected results. In the IT invest- 
ment management area which involves processes for selecting and 
overseeing investments, the agencies largely have IT management 
boards in place and use selection criteria to choose their invest- 
ments. However, once selected, no agency had practices associated 
with the oversight of IT investments fully in place. Such oversight 



20 


is essential to periodically ensure that as projects are pursued and 
funds are spent, the projects are tracked to the benefits promised 
at expected costs, within proposed timeframes and at an appro- 
priate level of risk. 

This periodic oversight with key milestones also provides an 
ideal opportunity to ensure that investments continue to be aligned 
with enterprise architectures and are adequately addressing infor- 
mation security requirements. Without this executive level over- 
sight of project activities, agencies lack assurance that investments 
are on track and are continuing to meet mission needs. Nor is 
there necessarily an early warning mechanism to flag under per- 
forming projects so that corrective actions can be pursued before 
projects are out of control. 

To help agencies improve their performance in these IT manage- 
ment areas, we made over 200 recommendations to the agencies in 
our review. Overall, agencies agreed with our recommendations 
and many have planned actions to pursue them. In addition, at to- 
day’s hearing, we are releasing our latest version of our IT Invest- 
ment Management framework. This framework identifies and orga- 
nizes critical processes for selecting, overseeing and evaluating IT 
investments and offers organizations a useful tool for improving 
their IT investment management processes in a systematic and or- 
ganized manner. 

First issued as an exposure drafted several years ago. This new 
version incorporates lessons learned from our use of the framework 
in our agency reviews, comments from users, as well as comments 
from public and private sector experts on IT investment manage- 
ment. 

In summary, our report shows that Federal agencies have some 
aspects of strategic planning and performance measurement in 
place, namely strategic plans, goals and investment boards. How- 
ever, to ensure that the Government’s investment in IT is not wast- 
ed, considerable improvements are needed in the areas of perform- 
ance measurement and the oversight of these investments. This 
can be accomplished in part through the expeditious implementa- 
tion of our recommendations and adoption of best practices like our 
IT investment management framework. 

We look forward to working with you, Mr. Chairman, and your 
continued oversight of these and other IT management areas. This 
concludes my statement. I’d be happy to respond to any questions 
that you have. 

[The prepared statement of Mr. Powner follows:] 



21 


GAO 


For Release on Delivery 
Expected at 1:00 p.m. EST 
Wednesday, March 3, 2004 


United States General Accounting Office 

Testimony 

Before the Subcommittee on Technology, 
Information Policy, Intergovernmental 
Relations and the Census, Committee on 
Government Reform, House of Representatives 

INFORMATION 

TECHNOLOGY 

MANAGEMENT 

Improvements Needed in 
Strategic Planning, 
Performance Measurement, 
and Investment 
Management 
Governmentwide 


Statement of David A. Powner, 
Director, Information Technology 
Management Issues 



GAO 

Accounisbility * Integrity * Reliability 


GAO-04-478T 





22 




G A O 


Highlights 

•i ' Highlighte of GAO-04-478T, testim<rfiy >' 
before the Subcommittee oti Techrwiogy, 
Information Policy, intergovemmerrtal 
' Re!a8ons and the Census, Commidf e wi ' 
- Government Reform, House ofi, 

V, Representative.- 'Vi-:, ■„ -r ;v •' 


Why GAO Did This Study!' 

The federal government spendsv^4?; 
y bilhons of dollars annually oii4 
^ information teclmology^OT^y:' 

;y investnients that are critical id ti 
; effective implementation bf maj 
;i goveiTunent progiams.^ To help l y 
; agencies effectively manage 
substantial IT investments, the 'fe 
! Congre^ h^ established a': fe 
statutory framework of ; i . 
i^tifremente and rotes ^dy 
! ? responsibilities relating tes 
i*| iitfqiTOaffdh .ahd tedmology 
I management, that addresses, ft 
' example, (1) IT strategic - - 
plannmg/performance • > 
ii measurement (which defines wl 
yy an oiganization seeks to > 

; accomplish, identifies the y 
1) strategies it win use to achieve 
p desired results, and then . > 
i'jj determines how well It te ^ 

succeeding in reaching ,^es^^tp4^ 
oriented goals and achievi^ 1 11 - 
obiecdves) and (2) IT investment t 
if, management (which mvolves ; 
-..sdte'toig, controlling, and ; 

^ evaluating investments). ^ 

GAO was asked to summanze its^ ,, 
vv, January 2004 report on IT 8tr^|a 
piarnirngperformance 

|^ managmeht(/^omdti<m 4^: V 

m\Govmmeniioide Strategic ' . 
^I^nningiPerf^^ .i 

Meas%tr0me!ra^ andlnvestmerH-i^'^ 
MMa'rmemenlCan BeSitriher^. 
klmproved, GA0^4-49, January il^‘: > - 
ii’:; 2004) and to discuss how agencie 
can>improfve their peiformance.il 
Rthese areas. , ^ 


svswyw.gao.gov/cgi-lHfi/getrpt?GA0^04-47^%?i 

To view ttie full product, click on the tirikc " 
;o.ab6ve.,'For,m6re inibmiafion, Contact ISa*tW;S 
yyPownerat (202) 512*9286 or , ? 

;ipownerd@gap.gov. 


j March 2004 


INFORMATION TECHNOLOGY 
MANAGEMENT 

Improvements Needed in Strategic 
Planning, Performance Measurement, and 
Investment Management 
Governmentwide 

What GAO Found 

GAO recently reported that the use of important IT strategic planning/ 
performance measurement and investment management practices by 26 
major federal agencies was mixed (see figure below). For example, agencies 
generaUy had IT strategic plans and goals, but these goals were not always 
linked to specific performance measures that were tracked. Agencies also 
largely had IT investment management boards, but no agency had the 
practices associated with the oversight of IT investments ftiUy in place. 
Although they could not always provide an explanation, agencies cited a 
variety of reasons for not having practices fully in place, including that the 
chief information officer position had been vacant and that the process was 
being revised. By improving their IT strategic planning, performance 
measurement, and investment management, agencies can better ensure that 
they are being responsible stewards of the billions of dollars for IT that they 
have been entrusted with through the wise investment of these monies. 

To help agencies improve in these areas, GAO has made numerous 
recommendations to agencies and issued guidance. For example, in the 
Januaiy 2004 report, GAO made recommendations to the 26 agencies 
regarding practices that were not fully in place. In addition, tod^ GAO is 
releasing the latest version of its Information Technology Investment 
Management (ITIM) framework, which identifies critical processes for 
selecting, controlling, and evaluating IT investments and organizes them into 
a framework of increasingly mature stages; thereby providing agencies a 
road map for improving IT investment management processes in a 
systematic and organized manner. 



Souice: 6AO. 

Terceniages ck> not add to 100 peroent due to rounding. 

Ncae: Yes— toe practice was In place. PartiaBy— toe agency has some, but not all, aspects of the practice in plat*. 
Examples ot cirojinstances in which toe agency would receive this designation include when (1) some, but not aB, 
cl toe elemwte of toe practice were in place; (2) toe agency documented that it has the information or process in 
place bts « was mM in the preserved form (e.g.. in a specific document as required by taw or the Office of 
Management and Buc^l); <3) toe agerrey's documentation was in draft form; or (4) the agency had a poticy 
related to toe ptac^, bid evidence supported that it had rrot been completely or consistently ioplemented. No— 
toe practice was not in place. Not appticaWe— the practice was not relevant to the agency's particular 
circumstances. 

• United States General Accounting Office 


23 


Mr. Chairman and Members of the Subcommittee:, 

Thank you for the opportunity to join in today’s heeuing on the 
government’s information technology (IT) management. This is a critical 
topic because, according to the fYesident’s most recent budget, the federal 
government spends bOlions of dollars annually on IT — reportedly investing 
about $57 billion in fiscal year 2003.' Yet these doUais are not always 
managed wisely. For example, the Administration reported that of the $60 
billion in IT investments requested for fiscal year 2005, $22 billion — 
representing 621 mjgor projects — are currently on its “Management Watch 
List”* This list includes mission-critical projects that need improvement in 
the areas of performance measures, earned value management,* and/or IT 
security. 

To help agencies effectively manage their substantial IT investments, the 
Congress has established a statutory framework of requirements and roles 
and responsibilities relating to information and technology management 
through laws such as the Paperwork Reduction Act of 1995* and the 
Clinger-Cohen Act of 1996. This framework addresses, for example, TT 
strategic planning/performance measurement (which defines whatan 
organization seeks to accomplish, identifies the strategies it will use to 
achieve desired results, and then determines how well it is succeeding in 
reaching results-oriented goals and achieving objectives), and investment 


‘Office of Management and Budget, Budget <if the U.S. Government, Fiscal Year 2005, 
Report on IT Spending for the Federal Government for Fiscal Years 2003, 2004, and 
2005. We did not verify this data. 

^Office of Management and Budget, Budget of the U.S. Government, Fiscal Year 2005, 
Analytical Perspectives. We did not verify these data. 

*E£uned value management is a project management tool that integrates the investment 
scope of work with schedule and cost elements for optimum investment planning and 
control. 

Paperwork Reduction Act of 1996 rexrised the information r^ources management 
respoi^bilities established under the Paperwork Reduction Act of 1980, as amended in 
1986. 


Pagel 


GAO-04-478T IT Management Practices 




24 


management (which involves selecting, * controlling,® and evaluating' 
investments). 

At your request, today I will summarize our recently issued report® on the 
extent to which 26 agencies* had in place 30 important practices 
associated with key legislative and other requirements for IT strategic 
planning/performance measurement and IT investment management (app. 
I lists the 30 practices). F will also discuss how agencies can improve their 
performance in these areas. 


Results in Brief important it strategic planning/performance measurement and 

investment management practices — identified based on legislation, policy, 
and guidance — by the agencies in our review was, mixed; collectively the 
agencies had less than 50 percent of the practices fully in place. For 
example, agencies generally had FT strategic plans and goals, but these 
goals were not always linked to specific performance measures that were 
tracked. Without enterprise wide performance measures that are tracked 
against actual results, agencies lack critical information about whether 
their overall IT activities are achieving expected goals. In the investment 


Dxuing the selecOon phase the oi^anization (1) Identifies and analyzes each prcyect’s risks 
and returns before committing significant funds to any project and (2) selects those IT 
projects that will best support its mission needs. 

^During the control phase the organization ensures that, as prefects develop and 
investment expenditures continue, the project is continuing to meet mission needs at the 
expected levels of cost and risk. If the project is not meeting expectations or if problems 
have arisen, steps are quickly taken to address the deficiencies. 

During the evaluation phase, actual versus expected results are compared once projects 
have been fully implemented. This is done to (1) assess the project's impact on mission 
performance, (2) identify any changes or modifications to the project that may be needed, 
and (3) revise the investment management process based on lessoiw learned. 

®U5. General Accounting Office, I^formalUm Technology Management: Govemmenlwide 
Strategic Tanning, Petformance Measurement, and Investment Management Can Be 
Further Improved, GAO-04-49 (Washington. D.C.: Jan. 12, 2004). 

®We reviewed 23 entities identified in 31 U.S.C. 901 and the 3 military services. These were 
the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, 
Energy, Health and Human Services, Housing and Urban Development, the Interior, 

Justice, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; and the 
Environmental Protection Agency, General Services Administration, National Aeronautics 
and Space Administration, National Science Foundation, Nuclear Regulatory Commission, 
Office of Personnel Management, SmaU Business Administration. Social Security 
Administration, and U.S. Agency for International Development 


Page 2 


GAO-04*478T IT Management Practices 



25 


management area, the agencies largely had IT investment management 
boards, but no agency had the practices associated with the oversight of IT 
investments fuDy in place. Executive-level oversight of project-level 
management activities provides organizations with increased assurance 
that each investment will achieve the desired cost, benefit, and schedule 
results. Although they could not always provide an explanation, agencies 
cited a varied of reasons for not having practices fully in place, such as 
tliat the chief information officer (CIO) position had been vacant and that 
their process was being revised. Regardless of the reason, these practices 
are important ingredients for ensuring effective strategic plaraiing, 
performance measurement, and investment management, which, in turn, 
make it more likely that the billions of dollars in government IT 
investments will not be wasted. 

To help agencies improve their performance in the IT strategic 
planning/performance measurement and IT investment management areas, 
we made numerous recommendations to each of the 26 agencies we 
reviewed. In addition, at today’s hearing we are releasing the latest version 
of our Information Technology Investment Management (ITIM) 
framework.'® First issued as an exposure draft in May 2000, this version of 
the ITIM includes lessons learned from our use of the framework in our 
agency reviews and by users of the framework. The framework identifies 
critical processes for the successful selection, control, and evaluation of IT 
investments and organizes them into a framework of increasingly mature 
stages. ITIM offers organizations a road map for improving their IT 
investment management processes in a systematic and oi^anized manner. 


Background 


Advances in the use of IT and the Internet are continuing to change the 
way that federal agencies communicate, use, and disseminate information; 
deliver services; and conduct business. For example, electronic 
government (e-govemment) has the potential to help build better 
relationships between government and the public by facilitating timely and 
efficient interaction with citizens. To help agencies more effectively 
manage IT, the Congress has established a statutory framework of 
requirements and roles and responsibilities relating to information and 
technology management. In particular, the Paperwork Reduction Act of 


'®U.S. GeneraJ Accounting Office, iTtformation Technology Investment Management: A 
Framework for Assessing and Improving Process Maturity, GAO-04-394G (Washington, 
D.C.: March 2004). 


Page 8 


GAO-04-478T IT Management Practices 



26 


1995 and the Clinger-Cohen Act of 1996 require agency heads, acting 
through agenqt CICte to, among other thin^, 

• better link their IT planning and investment decisions to program missions 
and goals; 

• develop and maintain a strategic information resources management 
(IRM) plan that describes how IRM activities help to accomplish agency 
ntissions; 

• develop and maintain an ongoing process to establish goals for Improving 
IRM’s contribution to program productivity, efficiency, and effectiveness; 
methods for measuring progress toward these goals; and clear roles and 
resi>onsibilities for achieving these goals; 

• develop and implement a sound IT architecture; 

• implement and enforce IT management policies, procedures, standards, 
and guidelines; 

• establish policies and procedures for ensuring that IT systems provide 
reliable, consistent, and timely financial or program performance data; 

• implement and enforce applicable policies, procedures, standards, and 
guidelines on privacy, security, disclosure, and information sharing. 

Nevertheless, the agencies face significant challenges in effectively 
planning for and managing their IT. Such challenges can be overcome 
through the use of a systematic and robust management approach that 
addresses critical elements such as IT strategic planning and investment 
management 


Agencies Did Not 
Always Have Strategic 
Planning/Performance 
Measurement and 
Investment 
Management 
Practices in Place 


Federal agencies did not always have in place important practices 
associated with IT laws, policies, and guidance related to strategic 
planning/performance measurement and investment management (see fig. 
1). A well-defined strategic planning process helps to ensure that an 
agency’s IT goals are aligned with its strategic goals. Moreover, 
establishing performance measures and monitoring actual-versus- 
expected performance using those measures can help to determine 
whether IT is making a difference in improving performance. Finally, an IT 
investment management process is an integrated approach to managing 


Page 4 


GAO-04-478T IT Management Practices 



27 


investments that provides for the continuous identification, selection, 
control, life-cycle management, and evaluation of IT investments. 


Figure 1: Percentage of Agencies’ Use of 12 iT Strategic Planning/Performance 
Measurement Practices (left) and 18 Investment Management Practices (right}* 



Source: GAO. 

'Percentages do not add to 100 percent due to rounding. 


Note; Yes~the practice was in ftece. Partial)y~the agency has some, but not alt. aspects of the 
practice in place. Examples o1 circumstances in which the agency would receive ttiis designation 
irtclude when (1) some, but not all, of ti>e elements of the practice were in place; ( 2 ) the agency 
documented ti>at it has the information or process in place but it was not in the prescribed form (e.g., 
in a specific document as required by law or the Office of Management and Budget); (3) the agency's 
documentation was in draft fwm; or (4) the agency had a policy related to the practice, but et^ence 
supported that it had not been completely or consistently implemented. No — the practice was not In 
place. Not af^icat^e — the practice was not relevant to the agency's particular circumstances. 

Agency IT officials could not always identify why practices were not in 
place, but in those instances in which reasons were identified, a variety of 
explanations were provided; for example, that the CIO position had been 
vacant, that not including a requirement in the agency’s guidance was an 
oversight, or that the process was being revised. Nevertheless, these 
practices are based on law, executive orders, Office of Management and 
Budget (0MB) policies, and our guidance, and are also important 
ingredients in ensuring effective strategic planning, performance 
measurement, and investment management that, in turn, make it more 
likely that the billions of dollars in government IT investments will be 
wisely spent 


Page S 


GAO>04-478T IT Management Practices 




28 


Critical aspects of the strategic planning/performaoce measurement area 
include documenting the agency’s IT strate^c planning processes, 
developing IRM plans, establishing goals, and measuring performance to 
evaluate whether goals are being met. Although the agencies often had 
these practices, or elements of these practices, in place, additional work 
remains, as demonstrated by the following examples: 

• Strategic pUrnning process. Strategic planning defines what an 
organization seeks to accomplish and identifies the strategies it will use to 
achieve desired results. A defined strategic planning process allows an 
agency to clearly articulate its strategic direction and to establish link^es 
among planning elements such as goals, objectives, and strategies. About 
half of the agencies had fully documented their strategic planning 
processes. Such processes are an essential foundation for ensuring that IT 
resources are effectively managed. 

• Strategic JRM plans. 'Hie Paperwork Reduction Act requires that agencies 
indicate in strategic IRM plans how they m-e applying information 
resources to improve the productivity, efficiency, and effectiveness of 
government programs. An important element of a strategic plan is that it 
presents an integrated system of high-level decisions that are reached 
through a formal, visible process. The Paperwork Reduction Act also 
requires agencies to develop IRM plans in accordance with OMB’s 
guidance. However, 0MB does not provide cohesive guidance on the 
specific contents of IRM plans. Accordingly, although agencies generally 
provided 0MB with a variety of planning documents to meet its 
requirement that they submit an IRM plan, these plans were generally 
limited to IT strategic or e-govemment issues and did not address other 
elements of IRM, as defined by the Paperwork Reduction Act. In 
particular, these plans generally include individual IT projects and 
initiatives, security, and enterprise architecture elements but do not often 
address other information functions — such as information collection, 
records management, and privacy — or the coordinated management of all 
information functions. 

0MB IT staff agreed that the agency has not set forth guidance on the 
contents of agency IRM plans in a single place, stating that its focus has 
been on looking at agencies’ cumulative results and not on planning 
documents. Tliese staff also noted that agencies account for their IRM 
activities through multiple documents (e.g., Information Collection 


Agencies’ Use of IT 
Strategic 

Planning/Performance 
Measurement Practices 
Was Uneven 


Page 6 


GAO-04-478T IT Management Practices 



29 


Budgets" and Goveinment P^erwork Elimination Act‘^ plans). 
Nevertheless, half the ^encies indicated a need for 0MB to provide 
additional guidance on the development and content of IRM plans. 
Accordingly, we recommended that 0MB develop and disseminate to 
<^encies guidance on developing IRM plans. 

• IT goals. Tlie Paperwork Reduction Act and the Clinger-Cohen Act require 
agencies to establish goals that address how IT contributes to program 
productivity, efficiency, effectiveness, and service delivery to the public. 
We have previously reported that leading organizations define specific 
goals, objectives, and measures, use a diversity of measure types, and 
describe how IT outputs and outcomes impact operational customer and 
agency program deliveiy requirements.*® The agencies generally had the 
types of goals outlined in the Paperwork Reduction Act and the Clinger- 
Cohen Act However, five agencies did not have one or more of the goals 
required by the Paperwork Reduction Act and die Clinger-Cohen Act It is 
important that agencies specify clear goals and objectives to set the focus 
and direction for IT performance. 

• IT performance measures^ The Paperwork Reduction Act, the Clinger- 
Cohen Act and an executive order'* require agencies to establish a variety 
of IT performance measures — such as those related to how IT contributes 
to program productivity, efficiency, and effectiveness — and to monitor the 
actual-versus-expected perfoimance using those measures. Althougli the 
agencies largely had one or more of the required performance measures in 
place, these measures were not always linked to the agencies’ 
enterprisewide IT goals. Moreover, few agencies monitored actual-versus- 
cxpected performance for all of their enterprisewide IT goals. Specifically, 
although some ^encies tracked actual-versus-expected outcomes for the 
IT performance measures in their performance plans or accountability 


"Each year, OMB’s Office of Information and Regulatory Affairs publishes an Information 
Collection Budget by gathering data ffom executive branch agencies on the total number of 
burden hours it approved for collection of information at the end of the fiscal year and 
agency estimates of the burden for the coming fiscal year. 

’®Iti fulfilling its responsibilities under this act, 0MB requires agencies to report to 0MB on 
their plans for providing the public with the option of submitting, maintaining, and 
disclosing required information electronically, mstead of on paper. 

**11.8. General Accounting Office, Executive Guide: MeasuHrig Performance and 
Demonstmting Results of hformation Technology Investments, GAO/A1MD-9&89 
(Washington, D.C.: March 1998). 

'^Executive Order 131(8, Computer Sqftuxire Pimcy (September 30, 1998). 


Page? 


GAO-04-478T IT Management I^actiees 




30 


reports and/or for specific IT projects, they generally did not track the 
performance measures that were specified in their IRM plans. As we have 
previoudy reported, an effective IT performance management system 
offers a variety of benefits, including serving as an early warning indicator 
of problems and the effectiveness of corrective actions; providing input to 
resource allocation and planning; and providing periodic feedback to 
employees, customers, stakeholders, and the general public about the 
quality, quantity, cost, and timeliness of products and services."’ Moreover, 
without enleiprisewide performance rneasures that are tracked against 
actual results, agencies lack critical information about whether their 
overall fT activities are achieving expected goals. 

Benchmarking. The Clinger-Cohen Act requires agencies to quantitatively 
benchmark agency process performance against public- and private-sector 
organizations, where comparable processes and organizations exist. 
Benchmarking is used because there may be external organizations that 
have more innovative or more efficient processes than their own 
processes. Seven agencies in our review had mechanisms in place — such 
as policies and strategies — related to benchmarking their IT processes. In 
general, however, agencies’ benchmarking decisions were ad hoc. Few 
agencies had developed a mechanism to identify comparable external 
private- or public-sector organizations and processes and/or had policies 
related to benchmarking, although all but 10 of the agencies provided ' ' 
examples of benchmarking that they had performed. Our previous study of 
IT performance measurement at leading organizations found that they had 
spent considerable time and effort comparing their performance 
information with that of other organizations.*® 

Agency IT officials could not identify why strategic planning/performance 
measurement practices were not in place in all cases, but in those 
instances in which reasons were identified, a variety of explanations were 
provided. For example, reasons cited by agency IT officials included that 
they lacked the support from agency leadership, that the agency had not 
been developing IRM plans until recently and recognized that the plan 
needed further refinement, that the process was being revised, and that 
requirements were evolving. 


‘®GAO/AIMD-9&«9. 

*®GAO/AIMD-9&^. 


Pages 


GAO-04-478T IT Man^ement Practices 




31 


Without strong strate^c management practices, it is less likely that IT is 
being used to maximize improvement in mission performance. Moreover, 
without enterprisewide performance measures that are being tracked 
against actual results, agencies lack critical information about whether 
their overall IT activiti^, at a govemmentwide cost of billions of dollars 
annually, are achieving expected goals. 


Critical aspects of rr investment management include developing well- 
supported proposals, establishing investment management boards, and 
selecting and controlling IT investments. The agencies’ use of practices 
associated with these aspects of investment management was wide- 
ranging, as follows; 

• IT investment proposals. Various legislative requirements, an executive 
order, and 0MB policies provide minimum standards that govern agencies’ 
consideration of IT investments. In addition, we have issued guidance to 
agencies for selecting, controlling, and evaluating IT investments.*^ Such 
processes help ensure, for example, that investments are cost-beneficial 
and meet mission needs and that the most appropriate development or, 
acquisition approach is chosen. The agencies in our review mixed 
results when evaluated against these various criteria. For example, the 
agencies almost always required that proposed investments demonstrate 
that they support the agency’s business needs, are cos^beneficial, address 
security issues, and consider alternatives. However, they were not as likely 
to have fully in place the Ciinger-Cohen Act requirement that agencies 
follow, to the maximum extent practicable, a modular, or incremental, 
approach when investing in FT projects. Incremental investment helps to 
mitigate the risks inherent in large IT acquisitions/developments by 
breaking apart a single large project into smaller, independently useful 
components with known and defined relationships and dependencies. 

• Investment management hoards. Our investment man^ement guide 
states that establishing one or more IT investment board(s) is a key 
component of the investment management process. Such executive-level 
boards, made up of business-unit executives, concentrate management’s 
attention on assessing and managing risks and regulating the txade-ofls 
between continuing to fund existing operations and developing new 
performance capabilities. Almost aU of the agencies in our review had one 
or more enterprise-level investment management board. However, the 


Agencies’ Use of IT 
Investment Management 
Practices Was Mixed 


*’For example, see GAO-04-394G. 


Page 9 


GAO-04-478T IT Managemeat Practices 



32 


investment management boards for six agencies were not involved, or the 
agency did not document the boards’ involvement, in the control phase. 
Maintaining responsibility for oversight with the same body that selected 
the investment is crucial to fostering a culture of accountability by holding 
the investment board that initially selected an investment responsible for 
its ongoing succ^. 

• Selection of IT investments. During the selection phase of an IT 
investment management process, the organization (1) selects projects that 
will best support its mission needs and (2) identifies and analyzes each 
project’s liste and returns before committing significant fiinds. To achieve 
desired resulte, it is important that agencies have a selection process that, 
for example, uses selection criteria to choose the IT investments that best 
support the organization’s mission and that prioritizes proposals. Twenty- 
two agencies used selection criteria in choosing their IT investments. In 
addition, about half the agencies used scoring models'® to help choose 
their investments. 

• Cont-rol over IT investments. During the control phase of the IT 
investment management process, the organization ensures that, as 
projects develop and as funds are spent, the project is continuing to meet 
mission needs at the expected levels of cost and risk. If the project is not 
meeting expectations or if problems have arisen, steps axe quickly taken to 
address the deficiencies. In general, the agencies were weaker in the 
practices pertaining to the control phase of the investment management 
process than to the selection phase and no agency had the practices 
associated with the control phase fuDy in place. In particul^, the agencies 
did not always have important mechanisms in place for agencywide 
investment management boards to effectively control investments, 
including decision-making rules for project oversight, early warning 
mechanisms, and/or requirements that corrective actions for under- 
performing projects be agreed upon and tracked. Executive level oversight 
of project-level management activities provides an oiganization with 
increased assurance that each investment will achieve the desired cost, 
benefit, and schedule results. 


‘*WiUi a scoring model, the assessment body typically attaches numerical scores and 
‘relative value" weights to each of the individu^ selection criteria. Investments are then 
assessed relative to these scores and then against weights associated with each individual 
criterion. Finally, the weighted scores are summed to create a numerical value for each 
investmeait 


Page 10 


GAO-04-478T IT Management Practices 



33 


Among the variety of reasons that agencies cited for not having IT 
investment management practices fully in place were that the CIO position 
had been vacant, that not including a requirement in the IT Investment 
management guide was an oversight, and that the process was being 
re\Tsed. However, in some cases agencies could not identify why certain 
practices were not in place. It is important that agencies address their 
shortcomings, because only by effectively ajtd efficiently managing their IT 
resources through a robust investment management process can they gain 
opportunities to make better allocation decisions among many investment 
alternatives and to further leverage their IT investments. 


Improving Agencies’ 
IT Strategic 
Planning/Performance 
Measurement and 
Investment 
Management 


To help agencies improve their IT strategic planning/performance 
measurement and investment management, we have made numerous 
recommendations to agencies and issued guidance. Specifically, in our 
Januaiy 2004 report we made recommendations to the 26 agencies in our 
review regarding practices that were not fully in place. These 
recommendations addressed issues such as IT strategic planning; 
establishing and linking enterprisevride goals and performance measures 
and tracking progress against these measures; and selecting, controllii^, 
and evaluating investments. By implementing these recommendations, 
agencies can better ensure that they are using strategic planning, 
performance measurement, and investment management practices that are 
consistent with IT legislation, executive orders, 0MB policies, and our 
guidance. 


Anodier mechanism that ^encies can use to improve their IT management 
is to apply the management frameworks and guides that we have issued, 
which are based on our research into IT management best practices and 
our evaluations of agency IT management performance.*® In this vein, 
today we are releasing the latest version of our ITIM framework.® This 
framework identifies and organizes critical processes for selectirtg, 
controlling, and evaluating IT investments into a firamework of 
increasingly mature stages (see fig. 2). 


'®For example, see UA General Accounting Office, Information Technology: A Framework 
for Assessing and Improving Enterprise Architecture Management (Version 1. 1), 
GAO-03-584G (Washington, D.C.: April 2003) and GAO/AIMD-9S^. 

”GAO-(M-394G. 


Page 11 


GAO-04-478T IT Management PracticcB 



34 


Figure 2: The ITIM Stages of Maturity with Critical Processes 


f iL Maturity stages \ Criticj 

.'V' Stage 5: Leveraging IT lor 

' strategic outcomes 

- optimizing the investment process k 

' Using IT to drive strategic business change P 

stage 4; Imptowng the 

ini/^tmertt process 

- Improving the portfolio's performance k 

• Managing the succession ol information systems p 

Stage 3: Developing a com|:^e 
investment portiolio 

• Defining the portfolio criteria I 

- Creating the portfolio p 

- Evaluating the portfdio m 

■ Conducting postimptemenfation reviews t- 

Stage 2: Buikfing ttte investment 
fourxtation 

• Instituting the investment board f| 

- Meeting business needs 1 

- Selecting an Investment p 

- Providing investment oversight fe; 

- Capturing investment information 1 

Stage 1: Creating investment awareness 

- IT spending without disciplined investment pr«;esses i 


Sourc«'.GAO. 


First issued as an exposure draft in May 2000, this new version of the ITIM 
includes lessons learned from our use of the framework in our agency 
reviews and from lessons conveyed to us by users of the framework. In 
addition, in order to validate the appropriateness of our changes and to 
gain the advantage of their experience, we had the new version reviewed 
by several outside experts who are familiar with the ITIM exposure draft 
and with investment management in a broad array of public and private 
organizations. 

ITIM can be used to analyze an organization’s investment mans^ement 
processes and to determine its level of maturity. The framework is useful 
to many federal agencies because it provides: (1) a rigorous, standardized 
tool for internal and external evaluations of an agency’s IT investment 
management process; (2) a consistent and understandable mechanism for 
reporting the results of ftiese assessments to agency executives, Congress, 
and other interested parties; and (3) a road map that agencies can use for 
improving their investment management processes. Regarding the first 
two points, we and selected agency Inspectors General have used the ITIM 
to evaluate and report on the investment management processes of several 


Pag« 12 


GAO-04-478T IT Management Practices 




35 


agencies." Concerning the third point, a number of agencies have 
recognized the usefulness of the ITIM framework and have used it to 
develop and enhance their investment man^ement strategies. For 
example, one agency uses the framework to periodically review its IT 
investment management capabilities and has developed an action pimi to 
move through the stages of maturity. 


In summary, our Januaiy 2004 report indicates that the federal government 
can significantly improve its FT strategic planning, performance 
measurement, and investment management. Such improvement would 
better ensure that agencies are being responsible stewards of the bUlions 
of dollars for IT with which tliey have been entrusted, by helping them to 
invest these monies wisely. This can be accomplished, in part, through the 
expeditious implementation of our recommendations and the adoption of 
best practices, which we have incorporated into our IT management 
frameworks and guides such as the ITIM. 

Mr. Chairman, this completes my prepared statement I would be happy to 
respond to any questions that you or other Members of the Subcommittee 
may have at this time. 


^‘For example, see U.S. General Accounting Office, I'nfomation Technology: 
DepartmenUd Leadership Cruciol to Success qf Investment Reforms at Interior, 
GAO-(^1028 (Washington, D.C.; Sept 12, 2003); Bureau qf Land Management: han 
Needed to Sustain Progress in Establishing IT Investment Management Capabilities, 
GAO-03-1025 (Washington, D.C.: Sept 12, 2003); United States Postal Service: 
Opportunities to Strengthen IT Investmetit Management Capabilities, GA04)3-3 
(Washington, D.C.: Oct. 15, 2002); Information Technology: DLA Needs to Strengthen Its 
Investment Management Capability, GAO-02-314 (Washington, D.C.: Mar. 15, 2002); auid 
Information Technology: INS Needs to Strengthen Its Investment Management 
Capability, GA04)i-146 (Washington, D.C.; Dec. 29, 2000). 


P^e 13 


GAO-04-478T IT Management Practices 


36 


Contacts questions regarding this statement, please contact me at 

(202) 512-9286 or by e-mml at pownerd@gao.gov. Specific questions 
related to our January 2004 report may also be directed to Unda Lambert 
at (2(^) 512-9556 or via e-mail at lambertl@gao.gov or Mark Shaw at (202) 
512-6251 or via e-mail atshawm@gao.gov. Questions related to the ITIM 
framework can be directed to Lester Diamond at (202) 512-7957 or via e- 
mail at diamondl@gao.gov. 


Page 14 


GAO-04-478T IT Management Practices 



37 


Appendix I: Information Technology (IT) 
Strategic Planning/Perfonnance Measurement 
and Investment Management Practices 


Table 1 describes the 12 IT strategic planning/performance measurement 
and the 18 IT investment management practices that we used in our 

January 2004 report on tfie government’s performance in these areas.' We 
identified these 30 practices after reviewing major legislative requirements 
(e.g., the Paperwork Reduction Act of 1995 and the Clinger-Cohen Act of 
1996), executive orders. Office of Management and Budget policies, and 
our own guidance. 

Table 1: IT Strategic Pianning/Performance Measurement and investment Management Practices 

Practice 

Number 

Practice Description 

IT Strategic Pianning/Performance Measurement Practices 

1.1 

The agency has documented its iT strategic management process, including, at a minimum, 

• the responsibilities and accountability for IT resources across the agency, including the relationship between the chief 
information officer (CIO), chief financial officer (CFO), and mission/program officials: and 

• the method by which the agency defines program information needs and develops strategies, systems, and 
capabilities to meet those needs. 

1.2 

The agency has documented Hs process to integrate IT management operations and decisions with organizational 
planning, budget, financial management, human resources management, and program decisions. 

1.3 

The agency requires that information security management processes be integrated with strategic and operational ’ 
planning processes. 

1.4 

The agertcy has a process that involves the CFO, or comparable official, to develop and maintain a full and accurate 
accounting of IT-related expenditures, expertses, and results. 

1.5 

The agency prepares an enlerprisewide strategic information resources management (iRM) plan that, at a minimum, 

• describes how IT activities will be used to help accomplish agency missions and operations, including related 
resources; and 

• identifies major IT acquisition program(8) or any phase or increment of that program that has significantly deviated 
from the cost, performance, or schedule goals established lor the program. 

1.6 

The agency’s performance plan required under GPRA includes 

• a description of how IT supports strategic and program goats, 

■ ttie resourees and time periods required to implement the information security program plan required by the Federal 
Information Security Management Act (FISMA), and 

• a description of major IT acquisitions contained in the capital asset plan that will bear significantly on the achievement 
of a performance goal. 

1,7 

The agency has a documented process to 

• develop IT goals in support of agency needs, 

• measure progress against these goals, and 

• assign roles and responsibilities for achieving these goals. 


‘U.S. General Accounting Office, Ir^formation Technology Management: Govemmentimde 
Slraiegic Planning, Performance Measurement, and Investment Management Can Be 
Further Improved, GAO-04-49 (Washington, D.C.: Jan. 12, 2004). 


Page 16 


GAO-04-478T IT Management Practices 




Practice 

Number 

Practice Description 

1.8 

The agency has estabiished goals that, at a minimum, address how IT contributes to 

• program productivity, 

• efficiency, 

• effectiveness, and 

• service delivery to the public {if appiicabte). 

1.9 

The agency has established IT performance measures and monitors actual-versus-expected performance that at feast 
addresses 

• how IT contributes to program productivity, 

• how IT contributes to the efficiency of agency operations, 

• how fT contributes to the effectiveness of agency operations. 

• service delivery to the public (if applic^?le), 

• how electronic government initiatives enable progress toward agency goais and statutory mandates, 

• the performance of IT programs (e.g., system development and acquisition projects), and 

• agency compliance with federal software piracy policy. 

1.10 

The agency has developed IT performance measures that align writh and support the goais in the GPRA performance 
plan. 

1.11 

The agerrcy developed an annual report, included as part of its budget submission, that describes progress in achieving 
goals for improving the efficiency and effectiveness of agency operations and, as appropriate, the delivery of services to 
the public through the ejffective use of IT. 

1.12 

The agency requires that its IT management processes be benchmarked against appropriate processes and/or 
organizations from the public and private sectors in terms of cost, speed, productivity, and quality of outputs and 
outcomes where comparable processes and organizations in the public or private sectors exist. 

iT investment Management Practices 

2.1 

The agency has a documented IT investment management process that, at a minimum, 

• specifies the roles of key people (including the CIO) and groups within the IT investment management process, 

• outlines significant events and decision points, 

• identifies external and environmental factors that influence the process, 

• explains how the IT investment management process is coordinated with other organizational plans and processes, 
and 

• describes the relationship between the investment management process and the agency’s enterprise architecture. 

2.2 

The agency established one or more agencywide IT investment management boards responsible for selecting, 
controlling, and evaluating IT investments that, at a minimum, 

* have final project funding decision authority (or provide recommendations) over projects within their scope of authority, 
and 

* are composed of key business unit executives. 

2.3 

The agencywide board{s) work processes and decision-making processes are described and documented. 

2.4 

If more than one IT investment management board exists in the organization (e.g., at the component level), the 
organization has 

• documented policies and procedures that describe the processes for aligning and coordinating IT investment decision 
making, 

• criteria for determining where in the organization different types of IT investment decisions are made, and 

• processes that describe how cross-furwtionai investments and decisions (e.g., common applications) are handled. 


P^e 16 


GAO-04-478T IT Manf^ement Practices 



39 



Practice 

Number 

Practice Description 

2.5 

As part of its investment management process, the agericy has available an annually updated comprehensive inventory 
of its major information systems that includes major national security systems and interfaces. 

2.6 

A standard, documented procedure is used so that dev^ping and maintaining the inventory is a repeatable event, which 
produces inventory data that are timely, sufficient, complete, and compatible. 

2.7 

The IT asset inventory is used as part of managerial decision making. 

2.8 

Proposed IT investments are required to document that they have addressed the following items during project pfanning: 


• that the project supports the organization's business and mission needs and meets users’ needs, 

• whether the function should be performed by tfre (HibRc or private sector, 

• whether the function or project should be performed or is being performed by another agency, 

• that alternatives have been considered, and 

• how security will be addressed. 


2.9 

In considering a proposed iT project, the agency requires that the project demonstrate that it is economically beneficial 
through the develc^ment of a busings case that at least addresses costs, benefits, schedule, and risks. 

2.10 

In considering a proposed IT project, the agency requires that the project demonstrate that it is consistent with federal 
and agency enterprise architectures. 

2.11 

The agency rec^uires that the proposed IT investment, at a minimum, 

• support work processes that it has simplified or redesigned to reduce costs and improve effectiveness, and 

• make maximum use of commercial-off-the-sheK (COTS) software. 

2.12 

The agency has established project selection criteria distributed throughout the organization that include, at a minimum, 

> cost, benefit, schedule, and risk elements; 

• measures such as net benefits, net risks, and risk-adjusted return on investment; and 

• qualitative criteria for comparing and prioritizing alfemafive information systems investment projects. 

2,13 

The agency has estabiished a structured selection process that, at a minimum, 


• selects IT proposals using selection criteria; 

• identifies and addresses possible IT investments and proposals that are conflicting, overlapping, strategically unlinked, 
or redundant; 

• prioritizes proposals; and 

• is integrated with budget, financial, and program management decisions. 


2.14 

Agency policy calls for investments to be modularized (e.g., managed and procured in well-defined useful segments or 
modules that are short in duration and small in scope) to the maximum extent achievable. 

2.15 

The agencywide investment management board(s) has written policies and procedures for management oversight of IT 
projects that cover, at a minimum, 

• decision-making rules for project oversight that allow for terminating projects, when appropriate; 

» current project data, including expected and actual cost, schedule, and performance data, to be provided to senior 
management periodically and at major milestones; 

• criteria or thresholds related to deviations in cost, schedule, or system capability actuals versus expected project 
performance; and 

• the generation of an action plan to address a project's problem(s) and track resolution. 


Page 17 


GAO-04-478T IT Management Practices 




40 



Practice 

Number 

Practice Description 

2.16 

The agencywide investment management board(s) eslaWished an oversight mechanism of funded investments that, at a 
minimum, 

• determines whether mission requirements have changed; 

• determines whether the investment continues to fulfill ongoing and anticipated mission requirements; 

• determines whether the investment is proceeding m a timely manner toward agreed-upon milestones; 

• employs early warning mechanisms that enable it to take corrective action at the first sign of cost, schedule, or 
perfonnance slippages; and 

• includes the use of independent verification and validation (iV&V) reviews of under-performing projects, where 
appropriate. 

2.17 

Corrective actions for under-performing projects are agreed upon, documented, and tracked by the agencywide 
investment management board(s). 

2.18 

The agencywide investment management board(s) requires that postimplementation reviews be conducted to 

• validate expected benefits and costs and 

• document and disseminate lessons learned. 


Source: GAO. 


(310463) 


Page 18 


GAO-04-478T IT Management Practices 




41 


Q^Q’g Mission ’ nie General Accounting Ofnce, the audit, evaluation and investigative arm of 

Congress, exists to support Ctongre^ in meeting its constitutional responsibilities 
ajid to help improve the performance and accountability of the federal 
government for the American people. GAO examines d\e use of public funds; 
evaluate federal progran^ and policies; and provides analyses, 
recommendations, and other assistance to help Confess make informed 
oversight, policy, and funding decisions. GAO's commitment to good govenunent 
is reflected in its core values of accountability, integrity, and reliability. 


Obtaining Copies of 
GAO Reports and 
Testimony 


The fastest and easi^ way to obtain copies of GAO documents at no cost is 
through the Internet GAO’s Web site (www.gao.gov) contains abstracts and ftill- 
text files of current reports and testimony and an expanding archive of older 
products. The Web site features a search engine to help you locate documents 
using key words and phrases. You can print these documents in their entirety, 
including charts and other graphite. 

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as “Today’s Reports," on its Web site 
daily. The list contains links to the full-text document files. To have GAO e-mail 
this list to you every afternoon, go to www.gao.gov and select “Subscribe to e-mail 
alerts" under the “Order GAO Products" heading. 


Order by Mail or Phone copy of o®oh printed report is free. Additional copies are $2 each. A 

check or money order should be made out to the Superintendent of Documents. 
GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a 
single address are discounted 25 percent. Orders should be sent tO; 

U.S. General Accounting Office 
441 G Street NW, Room LM 
Washington, D.C. 20548 

To order by Phone: Voice: (202) 512-6000 

TDD: (202)512-2537 

Fax: (202)512-6061 


To Report Fraud, 
Waste, and Abuse in 
Federal Programs 


Contact: 

Web site: www.gao.gov/fraudnet/lTaudnet.htm 
E-mail: fraudnet@gao.gov 

Automated answering system: (800) 424-5464 or (202) 612-7470 


Public Affairs 


Jeff Nelligan, Managing Director. NelliganJ@gao.gov (202) 612-4800 
IJ.S. General Accounting Oftice, 441 G Street NW, Room 7149 
Washington, D.C. 20548 


PRINTED ON RECYCLED PAPER 




42 


Mr. Putnam. Thank you very much, Mr. Powner, and we cer- 
tainly have some. I’d like to begin with Mr. Johnson. You have ex- 
perience in the private sector, experience in State government and 
probably more experience in Federal Government now than you 
ever wanted. Tell me, explain if you would, where you think the 
President’s management agenda is, where some of the successes 
have been and frankly, what the greatest obstacles continue to be 
and perhaps some ways where Congress can help. 

Mr. Johnson. Regarding IT? 

Mr. Putnam. Let’s start in general. Let’s start out here and then 
work our way into IT. Ms. Evans, I think, is going to have plenty 
of questions on IT, but while we have you. I’m curious to know just, 
in general, on the agenda. 

Mr. Johnson. When the President’s management agenda was in- 
troduced in August 2001, thinking in terms of the scorecard that 
we use, 130 scores, 5 initiatives, 26 agencies, 110 of those were red. 
About half of them are red now and by this summer, 3 years after 
the beginning of the introduction of the agenda, I would guess 
there might be 30 or 40 reds. The average agency 2 plus years ago 
was red, the way we keep score. The average agency, this summer, 
3 years later, will be yellow and if you look at the description of 
what a yellow agency is, it’s a very different place. It’s much more 
focused on results. It’s a different place to work for. It’s a different 
place to be served by if you’re a citizen or taxpayer. It’s a different 
place for Congress to interact with and I would suggest better in 
all instances and that’s just at yellow. And the next step is to go 
to green. 

We’re pleased with those, the progress that’s been made. One of 
the things that’s interesting is that every component part of what 
it takes to be green has been in every subpart of every initiative 
has been achieved by at least one agency. So we know that every- 
thing that we say is required to be green is really advanced state 
of management practice, is physically possible. Some part of the 
Federal Government has demonstrated their physical ability to do 
that, so it’s not a question of can we do it, it’s a question of how 
we do it and how quickly we can do that. 

The agencies own this. It began as the President’s management 
agenda. I think it’s become the agencies’ management agenda. I 
think that the employees at the Interior Department and HHS and 
etc., realize that it’s better to work for a results-oriented organiza- 
tion than it is for one that’s not. This is good for them and I think 
they have embraced it in almost every case and so the pace of im- 
plementation is accelerating. 

So we are pleased with the progress to date. There’s still a lot 
of progress to be made and one of our primary responsibility is to 
help agencies get to where they want to be. They have identified, 
they’re starting to identify now longer term goals, where they’d like 
to be a year from now, 2 years from now. And so 0MB started off 
pushing them a quarter at a time. Now we’re helping them get to 
where they want to be. 

So we can do this. We can get to where you, we, all want the 
IT part of this agenda to be, and it’s just a question of making sure 
there’s plenty of rigor, plenty of discipline, plenty of attention. 
There’s a lot of check and balance. There’s things we can do to 



43 


make sure that agencies understand what the goal is, understand 
the importance of qualified management people, understand the 
importance of security and there are ways of making sure that they 
don’t spend money on other things until they’ve taken care of that 
and we just to make sure that those disciplines are, in fact, en- 
forced and that the proper attention is paid to all of these three 
or four most important parts of getting our IT management to 
where we all want it to be. 

Mr. Putnam. On the IT side, we spent an awful lot of time, in 
fact, it probably comes up in every single hearing we have, lament- 
ing the fact that our IT issues are not technological problems. 
They’re not even financial hurdles. They’re cultural. They’re insti- 
tutional barriers to change. And in our little committee scorecard 
and on FISMA and other ways of kind of measuring these things 
we find that when the Secretary of the respective department 
makes the President’s management agenda a priority, then things 
happen. And what I really don’t have a good feel for is who keeps 
that on their agenda. Does it happen in Cabinet meetings? Does it 
happen at the chief of staff level? Is that what you do all day? Who 
keeps pushing these issues to keep the President’s management 
agenda, the mechanics of operating the Government, even though 
in Treasury you’re worried about collections and you’re worried 
about the falling dollar and in Justice you’re worrying about pro- 
tecting this and all these kinds of things. Everybody has their own 
problems associated with the mission, but who reminds them to 
keep their eye on the ball of the mechanics and the process of mak- 
ing Government work smarter? 

Mr. Johnson. Well, all that you mentioned. In fact, I talked to 
Brian Montgomery who is the person, the Cabinet Secretary in the 
White House. The President has, I think it’s quarterly, maybe 
monthly meetings with each Cabinet Secretary, whether he needs 
to or not, whether they need it or not. And every time he meets 
with them he asks them and inquires about their status on the 
President’s management agenda and are they pleased with their 
progress. It comes up at Cabinet meetings. At their Cabinet meet- 
ing in January, I think the Attorney General talked about his 
scorecard and the next person to talk was John Snow, Secretary 
Snow who’s got five reds. It was a very difficult 2 minutes for the 
Secretary. In fact, the next week the Secretary called me. We went 
to have lunch and he was seeking advice on how to get the Depart- 
ment of Treasury out of a red status state. So a little public shame 
and humiliation within the Cabinet and outside also keeps their at- 
tention. 

I work directly with the Chief Operating Officers, the Deputies 
in most cases, of the agencies and we are in constant communica- 
tion on all of the President’s management agenda items and again, 
helping them get to where, as I said, they want to be. And they 
all have very aggressive goals for their agencies. These are all com- 
petitive people and they also want to do the right thing. They want 
to leave a good, strong legacy and so it’s not like we’re trying to 
get them to pay attention. It’s like we’re trying to help them get 
to where they want to be. 

So I’m working at it on the operating standpoint that Cabinet 
Secretaries are reminded in informal meetings and at Cabinet 



44 


meetings, not every Cabinet meeting, but they talked about it at 
the January Cabinet meeting I know for sure. So it’s all of the 
above. 

And the public quarterly scorecard puts that out there for all to 
see and make of it what they will. 

Mr. Putnam. Thank you. Clinger-Cohen was enacted 8 years ago 
and it gave 0MB responsibility and the authority to raise the con- 
cerns that are addressed in the GAO’s findings and, after 8 years, 
the results are mixed as the report and Mr. Powner indicated. 

And Clinger-Cohen holds 0MB responsible. Rightly or wrongly, 
they’re the designated, the buck stops with you all. How do you re- 
spond to some of the findings of this GAO report? 

We’ll begin with Mr. Johnson. 

Mr. Johnson. It’s better. It’s kind of like our situation with 
homeland security. It’s a whole lot better than it used to be. It’s 
not good enough. And 20 some odd percent of our systems used to 
be secured. It’s now 62. Our plan is for it to be 80 this year. Our 
plan is for it to be this year 80. The goal to be green in our — keep- 
ing scores — all but 90 percent of all the systems be secure. We have 
whatever it is half of the systems that are on the watch list. That’s 
unsatisfactory. We’re doing a better job this year of putting restric- 
tions on agencies via apportionment, via whatever mechanisms we 
have to make sure that they address security matters, quality of 
management matters, quality of business case matters before they 
spend development moneys on new systems. 

So we’re trying to put more rigor, more discipline, more check 
and balance into the enforcement of these mechanisms this year 
than we even have done in the past and I have confidence, plus the 
fact that Karen is there, that we will continue to make progress on 
this. 

The progress, particularly in the security area is not what we 
planned for it to be this year, but we intend to correct that. 

Mr. Putnam. Ms. Evans, do you wish to add anything to that? 

Ms. Evans. I think that Mr. Johnson has clearly summed up 
where our priorities are and what we are doing is using the mecha- 
nisms that are available to us as 0MB to ensure that the agencies 
are really adhering to what the goals of the administration are, so 
that we can adequately address this, we do the recommended ac- 
tions that are in the GAO report that next time this is evaluated 
that you will see that it is implemented versus the mixed results 
that it currently demonstrates. 

Mr. Putnam. The GAO mentioned in their testimony that most 
agencies do not have information resources, management plans 
that are supposed to address privacy records management, infor- 
mation collection. Half the agencies told GAO they would like to 
see additional guidance on the content of those plans and at the 
same time the 2005 budget document discusses the OMB’s evalua- 
tion of their IRM practices. 

How does 0MB evaluate those plans that GAO says are not com- 
plete and do you share their opinion that they’re incomplete? 

Ms. Evans. There are several requirements that are on the agen- 
cies as far as how they need to manage their overall IT invest- 
ments. The IRM strategic plan is one of many plans that the agen- 
cies submit. As far as the recommendation about 0MB offering ad- 



45 


ditional guidance as far as strategic plans, we’re evaluating that 
now. We did tell GAO orally that we didn’t plan to give them more 
specific guidance, hut that we were evaluating our overall guidance 
that we give out in A-11 and A-130 as far as how the agencies 
would move forward and how they would manage their IT portfolio 
overall. 

So what we’re doing now is in our post mortem of fiscal year 
2005’s budget submission, we’re looking at what guidance needs to 
be supplemented and then update that and we’ll be working with 
the agencies through the CIO Council to issue draft guidance short- 
ly to address some of the concerns that were in here. But right 
now, we do not specifically intend to just address IRM strategic 
plans, but really to address guidance as a whole for portfolio man- 
agement. 

Mr. Putnam. Mr. Powner, do you want to address this? 

Mr. Powner. One comment I think 0MB does deserve a fair 
amount of credit through the budget submission process, the 300 
process that most folks refer to, we found in our review that the 
questions that they asked on the front end when the budgets are 
submitted, that agencies generally have those practices in place. I 
think where a lot of attention and focus needs to go now is once 
we prioritize and select investments and we decide to march for- 
ward, that’s where we started seeing the rigor and the practices 
not really being in place. So when we have agencies that contin- 
ually have these cost overruns and schedule slippages and not de- 
livering functionality, that’s where we really need to put processes 
into place to make sure that we’re staying on track with the bene- 
fits promised and we’re delivering within cost and schedule. So 
0MB clearly has made some strides in terms of the agency’s rigor 
on that front end. 

Also too, there’s a fair amount of accountability that resides 
within the agencies with the CIOs. If we go back to the legislation 
that’s in place, a lot of the accountability does reside with the 
CIOs, so I think it’s a combination of the two. 0MB can do their 
part, but we’re going to continue to push and ensure that the CIOs 
are performing these functions that are called for in law and basi- 
cally are called for in best practices in IT management. 

Mr. Putnam. Thank you very much. The ranking member of the 
subcommittee, Mr. Clay, is from Missouri, and when he walks in 
the spotlights come on. If I had known that I would have put on 
a little more powder. 

You’re recognized for your questions and remarks. 

Mr. Clay. Thank you, Mr. Chairman, let me say that I’m glad 
that this is our first meeting of the year and I’m glad to be back 
here with you. I’m glad to see the panel here today and this is a 
pretty important subject to talk about, the IT role of Government, 
as our first meeting now for this session of Congress and thank you 
for calling it. 

For Mr. Johnson, generally speaking, do you consider the Gov- 
ernment’s annual investment of roughly $60 billion in IT an ade- 
quate level of funding or are we spending too much on IT systems 
and not enough on implementing and training? Should the 
amounts be adjusted to an appropriate level in order to better inte- 
grate new IT programs and systems at the agencies? 



46 


Mr. Johnson. I didn’t hear the last part. Are we doing invest- 
ments or should we be spending more on implementing? 

Mr. Clay. Let’s start over. Should the Government’s annual in- 
vestment of roughly $60 billion in IT — is it an adequate level of 
funding, first of all? 

Mr. Johnson. Yes, I believe it is. Agencies requested more than 
that, but the amount that was agreed to and budgeted for was $58 
point whatever it is billion. We didn’t think there was a strong 
enough business case for the additional $4, $5 or $6 billion that 
were requested. 

The agencies are challenged to achieve the goals of their mission, 
goals of their agency and they are encouraged to figure out how in- 
vestments in IT can help them achieve those goals and so it’s all 
supposed to be mission-specific and they come to us with their rec- 
ommendations and it adds up to $60 plus billion. We looked at it 
and decided that, in fact, it was a legitimate reason to spend the 
$58 billion this year. So yes, I would say that in light of what the 
Federal Government’s individual agencies’ goals are, it is an appro- 
priate amount to be spending. 

Mr. Clay. Does the $58 billion also include implementation and 
training of employees on the system? 

Mr. Johnson. I do not know that. Karen. 

Ms. Evans. As the agencies prepare their business cases, they’re 
supposed to plan for the full life cycle of that investment. So that 
would mean that representative in that amount does deal with de- 
pending on how they’re reporting a business case. So if it’s develop- 
ment, if it’s in the early stages of development or steady state 
which is on-going, they have to reflect the full cost such as training 
and implementation. So if it’s a new investment, those investment 
dollars should include training and implementation of the users for 
that system as well as cybersecurity. 

Mr. Clay. Do we need to address the levels of appropriations at 
this point or is this adequate to $58 to $60 billion? Is it adequate 
or do you need an adjustment on that? 

Ms. Evans. Sir, based on the President’s budget submission and 
the review that my office did in accordance with the budget exam- 
iners, we believe that on the business cases, the way that they 
have been justified, that it is an adequate level that reflects the ad- 
ministration’s priorities. 

Mr. Clay. Well put. And in your opinion do the annual perform- 
ance reports of the Government Performance and Results Act pro- 
vide an adequate forum for agencies to communicate their informa- 
tion about IT acquisition programs or should another tool for such 
information be dedicated to the process? 

Ms. Evans. I think right now in conjunction, the business cases 
have a fairly rigorous process associated with that and with the 
questions that the agencies are asked about their investments, but 
I also — we are working very closely with another part of the Presi- 
dent’s management agenda which is budget and performance inte- 
gration and on that particular element there is an assessment tool 
that is also in there, the PART, which is the Program Assessment 
Rating Tool which talks about the program overall. So the IT in- 
vestments need to ensure that they complement the way that the 
program is moving forward. And so we are really working now to 



47 


ensure the integration of the IT investments into the overall pro- 
gram performance and the results that program intends to achieve. 

So the results and the performance results that are outlined in 
the business case need to complement and enhance the overall pro- 
gram results that we are now using the assessment tool for. So I 
think between those two elements, we’re moving forward in that 
we have tools that are there now to work with the agencies to re- 
flect that. 

Mr. Clay. Thank you. Mr. Powner, let me say it’s my belief that 
the investment management process is integral for effective pro- 
gram stewardship and necessary in a time of severe budget con- 
straints. Having said that, your findings indicate that the absence 
of an agency CIO was hindering a number of agencies from imple- 
menting some of the recommendations made for investment man- 
agement practices. Can you tell us how many of the agencies de- 
tailed in the report were missing a CIO and if the absence of this 
leadership position is common at the agency level? 

Mr. Powner. I would have to get back to you on the exact num- 
ber that were missing, the CIO, and they gave that for a reason 
why they didn’t have that practice in place. We received a number 
of reasons why some of these key practices were not in place. 
Clearly, not having a CIO was one of several reasons. In many in- 
stances, agencies and departments told us that it was clearly an 
oversight and they were in the process of putting these practices 
in place. 

Mr. Clay. How long have they been in the process of doing this? 
I mean, how many years has it been have they been told to get a 
CIO? 

Mr. Powner. Clearly, it differed by agency. We had agencies dif- 
fer in terms of the timeframe which they’ve been putting these in 
place, clearly it’s been in law and required for quite a number of 
years. You’re absolutely correct on that, but the specifics by agency. 
I’d need to get back to you on that. 

Mr. Clay. OK, I’d appreciate that. Mr. Johnson. 

Mr. Johnson. Mr. Clay, all of these agencies have had CIOs. If 
they don’t have one now it’s because the person left and they 
haven’t been replaced yet. Not having a CIO is not an excuse for 
not having done this. 

Our agencies are supposed to be set up to continue to function 
and to continue to do good work in the absence of Assistant Sec- 
retary or Deputy Assistant Secretary, whatever. And the absence 
of a CIO should not be given as an excuse. 

Mr. Clay. Thank you for that answer. 

Mr. Putnam. Thank you, Mr. Clay. We have four votes pending 
which will be about a 30 to 35 minute delay. So, if your schedule 
will accommodate, we would ask your indulgence and your patience 
and offer our apologies. So the subcommittee will stand in recess 
for 30 minutes, feel free to go check your e-mail. 

[Recess.] 

Mr. Putnam. The committee will reconvene and I want to thank 
you again for your indulgence and I apologize for leaving you 
stranded for 30 minutes with the reporters. [Laughter.] 

They had you sort of captured, but it’s unfortunately, just a part 
of this process. 



48 


We will pick up where we left off in terms of performance meas- 
ures and proceed. 

Ms. Evans, what mechanisms are in place to prepare for and 
manage for our long-term IT needs as opposed to we’re constantly 
playing catch-up with legacy systems and eliminating stovepipes 
and all that? What process is in place to look ahead to see how we 
end up where we really need to be as opposed to playing catch-up 
all the time? 

Ms. Evans. With our efforts on the Eederal Enterprise Architec- 
ture, that really is our plan of how to move forward. That effort 
with the reference models and then the way the whole architecture 
process works where we’ll be defining our to-be architecture, that 
is where we want to be. And as we start using the agencies’ sub- 
mission of their Enterprise Architectures and how they align to the 
Eederal Enterprise Architecture, we’ve had the opportunity, both in 
fiscal year 2004 as well as 2005, to identify collaboration efforts 
that we can see where agencies are planning expenditures, where 
agencies are planning modernization efforts and then based on it 
all coming into a central location and doing the analysis that we 
have with the Eederal Enterprise Architecture and how they map 
to the reference models. We can then see where there is potential 
collaboration efforts and we can work with the agencies so that 
they realize that versus them doing it on their own. That cycle by 
having it in the budget cycle right now has a 2-year budget cycle 
associated with it, as well as the long term out year through the 
plans that the agencies submit with a 5-year cycle. 

So that really is our long-term plan, to continue to use the enter- 
prise architecture efforts of the agencies as well as our own Eederal 
Enterprise Architecture. 

Mr. Putnam. And how do you then measure the success of an IT 
purchase? Is it about just simple compliance with the REP or is 
there a performance linkage associated with it? You or Mr. Johnson 
can 

Ms. Evans. OK, first, there is a performance reference model 
contained within the Eederal Enterprise Architecture. We released 
the first model of that and we’re going to continue to work, as I 
stated earlier with the budget and performance integration team 
that is that part of the tenet of the President’s management agen- 
da. 

The PART does have metrics in there that will measure the ef- 
fectiveness of the program. The IT investments have to support 
that and so also within the business case, there is a specific area 
that deals with performance measures. And so we ask the agencies 
to ensure that those align with the reference model as well as those 
going forward with the PART. Also, we’re asking the agencies and 
what we’re working with the agencies now on is earned value man- 
agement which is having an EVMS system in place. That then gets 
to a lot of the issues that were brought up in the GAO report as 
far as execution of measuring your expected results against your 
actual results, about having business processes in place that will 
then track all of that so that we can say yes, this is what we 
thought we were going to do. This is what we actually did. Or, if 
an investment starts to get off track, because of the way, if you im- 
plement this appropriately, you’ll have leading indicators which 



49 


will then allow you to adjust whatever you have to adjust on a 
project that is supporting the overall mission of the agency. So we 
think between the PART, the Federal Enterprise Architecture and 
then more specifically an earned value management system within 
an agency will then allow us to he able to match and measure 
planned results against actual results. 

Mr. Putnam. What are the consequences when an agency fails to 
meet their goals or their milestones or their performance meas- 
ures? What consequences are there? 

Ms. Evans. Right now we are using what we have available 
which is and several things are available, but it’s apportionment of 
funds and what that means is that if a project is to fall off target 
and we have major concerns and right now there are several, obvi- 
ously, that are on the management’s watch list, we work very close- 
ly with the budget side of the house of 0MB and what we do is 
make sure that the agency has a good remediation plan in place, 
that it’s agreed upon between the agency and 0MB and then we 
have tools that are available to us that say OK, you have to take 
this particular action and then we apportion the funds to ensure 
that those actions are met and that they are complying with the 
action plans that they said that they would. 

Mr. Putnam. And have you done that, Mr. Johnson? 

Mr. Johnson. Karen and I have talked and I have a 15,000 or 
20,000 foot view of it. We need to put more check and balance, 
more teeth into it. There needs to be more consequence and there’s 
more this year than there was last, and more last than the year 
before that and that’s just something we need to do working with 
the 0MB branches and working with the agencies and we just — 
we have a clear definition of where — the agencies have a clear defi- 
nition of where they want to be, to be yellow and green is the way 
we discussed it and they’ve talked to us about timeframes by which 
they’d like to be at what we call green state of affairs and almost 
to help them be rigorous about it, we need to be — make sure there’s 
plenty of teeth. I told Karen last week, in fact, let’s figure out how 
we can put as many teeth into this mouth as possible. All these 
things — the rigor, disciplines and checks and balances that we need 
to ensure that, in fact, we are properly focused on security and the 
quality of management and project management and budget man- 
agement and so forth. 

Mr. Putnam. So you currently can apportion funds. What addi- 
tional teeth would you like to see? 

Mr. Johnson. We can apportion funds. We don’t apportion funds 
to the extent to which we can. 

Mr. Putnam. So it is not a matter of authority. 

Mr. Johnson. Right. 

Mr. Putnam. So much as it just hadn’t been done. 

Mr. Johnson. Right. I mean when you go in and stop a project 
that’s mid-development, you’re fixing to have a little wrestling 
match with the agency and there are opportunities to do that and 
sometimes it’s going to take that. 

Mr. Putnam. I wouldn’t think you’d have to do it but once or 
twice and everybody else would catch on. 

Mr. Johnson. Right. 



50 


Mr. Putnam. Every time I need something from 0MB, we have 
to wrestle with them. [Laughter.] 

Mr. Johnson. You wouldn’t recommend it, would you? 

Mr. Putnam. I lose every time. [Laughter.] 

Have you ever been in an arm wrestling match with 0MB? Have 
you ever won? It’s not fun and yet 

Mr. Johnson. We’re gentlemanly about it, aren’t we? 

Mr. Putnam. You’re very gracious, just wiping the mat with us. 
And yet, I see these agencies and we’re going to get into this in our 
next hearing, but agencies don’t even know what equipment they 
own and can’t find it, don’t know where it is. Didn’t know they had 
it. They’re not accountable for securing it and nothing happens 
and 

Mr. Johnson. We have plenty of authorities now and it’s our re- 
sponsibility to make sure that we are using every authority we 
know. 

Mr. Putnam. If you all are as tough on agencies as you are on 
Members of Congress, we can save a bunch of money because it 
concerns me. 

Mr. Johnson. But you’re talking about those B people, right, not 
the M people. 

Mr. Putnam. That’s right, that bad old B team. But it’s a legiti- 
mate issue in that you have this authority. Everybody is pretty 
clear on what the problem is and we just can’t seem to get our 
arms around it. And that’s a little disappointing. 

Mr. Johnson. Although great progress has been made in every 
area, I mean 3 years ago, 2 years — we were 20 percent secure. 
We’re 62 percent secure, just as an example. But we want to be at 
80, so we are making great strides. We can make greater strides 
and will. 

Mr. Putnam. Fair point and I don’t want to diminish the 
progress that you have made. We didn’t get into this position over- 
night and we’re not going to get out of it overnight. 

So you have 621 IT projects totaling $22 billion on the 0MB 
management watch list. That means they need improvement in 
performance measures, earned value management or IT security or 
some combination and so can we — let’s begin with how do you de- 
cide who gets on the list and I guess to our earlier discussion, what 
point will you decide or do you decide that you’re just going to ter- 
minate or modify these at risk projects and what are they? Is that 
a list that we can get our arms on, get our hands around? 

Ms. Evans. OK. First, the way that we determine the list 

Mr. Putnam. Mr. Johnson, you’re such a gentleman letting her 
answer first. 

Mr. Johnson. Southern. You know how we were raised. 

Mr. Putnam. Ladies first. 

Ms. Evans. I get to go first. OK, the way that we determine the 
management watch list is based on the business case submissions 
and so the business cases are reviewed internally within 0MB and 
they’re assigned a score between 1 and 5, a total score. The man- 
agement watch list is composed of any business case that has re- 
ceived a 3 or lower, total score. Or, if you’ve gotten a 4 or 5 on the 
overall business case, but you have a 3 in the cybersecurity ele- 



51 


ment of the business case, then you’re put on management watch 
list. 

Then what happens at that particular point, say for example, if 
it’s cybersecurity, agencies receive specific guidance during the 
budget process of what they needed to do to remediate that particu- 
lar risk. So in the case of cybersecurity they had a specific date 
that they had to turn in a remediation plan to us to talk about how 
they were going to address the overall cybersecurity posture within 
an agency. And then also what had to be included are the costs as- 
sociated to accomplish that remediation. When that came in, now 
we’re in the process of evaluating that plan to see if it meets every- 
thing that is under the guidance of FISMA, that it has the IG re- 
view, how to go forward and do they have adequate funding levels 
within their current levels. If they don’t, what the process was of 
how we went forward is the guidance is very specific that no new 
development efforts should go forward in that agency until they 
have remediated this weakness and dollars that they have associ- 
ated with new development efforts would be redirected to help sup- 
plement and remediate that particular weakness. And that’s where 
we’re working hand in hand with the budget side of the house to 
ensure that happens under our current authorities. 

If it’s something else like the EVMS or performance measures, 
we also have asked the agencies to turn in plans to deal with that 
and we set a target for June of this year, associated with the score- 
card, because we measure their progress on a quarterly basis with 
the President’s management agenda scorecard. And so those plans 
will also be looked at prior to them actually expending funds in fis- 
cal year 2005 and so in the meantime, we’re looking to see how far 
down, how bad is it and then we’re making recommendations to go 
forward of whether that project should be stopped if we don’t feel 
that there’s an adequate plan to remediate the weakness and that’s 
what I’m working with Mr. Johnson on very closely. 

Mr. Putnam. Can we get a list of the projects on that list? 

Ms. Evans. I need to check because we normally don’t release 
the list and so I will check internally since it’s coming to you. We 
don’t normally release it to the press at all because what we really 
want to do is have the agencies have the opportunity to be able to 
justify that business case, be able to remediate the weakness, have 
a good business practice in place to ensure the success of that 
project. 

So I will check and get back to you on that. 

Mr. Putnam. Thank you. Let me just ask one final question be- 
fore I recognize Mr. Clay. 

Help me to understand this; $60 billion spent on all IT invest- 
ments governmentwide. And the State of Florida’s budget is about 
$56 billion this year. So it kind of puts it in perspective as a former 
legislator, thinking about all the things that we used to be able to 
do with $56 billion, actually it was more like $50 back then and 
what we’re spending just on IT. 

How much of that roughly $60 billion is just ordinary kind of 
stuff that anybody in America who owns a small business or a big 
business or a home computer would understand, you’re just up- 
grading your operating system, making sure everybody has the lat- 
est, the greatest, the newest to do the things that they need to do 



52 


that are commercially available off-the-shelf kind of stuff, and what 
percentage of that $60 billion are really zebras, things that are 
unique to the mission of IRS or DOD or whomever that really do 
fit that unique category? 

Is the overwhelming majority of the $60 billion just because of 
the sheer size and scope of the government? Or is it because we’re 
still building zebras to do what anybody could go down to the store 
and buy a horse to do? 

Ms. Evans. Well, if I understand the question correctly, so the 
way the $60 billion is broken out for the fiscal year 2005’s budget, 
it reflects the administration’s priorities of defense and homeland 
security. So if you look at — it’s actually $59.7 billion; $27.4 billion 
are associated with DOD systems. And then 

Mr. Johnson. Can you say that again? 

Ms. Evans. $27.4 billion 

Mr. Johnson. Alone are DOD? 

Ms. Evans. Yes. Out of that total. And then of the homeland se- 
curity, $10.3 billion is associated with homeland security. So that 
leaves $22 billion associated with all other. 

So that all other includes all the civilian agencies going forward. 
Now, also in the homeland security piece, and I want to make a 
distinction there, as agencies send business cases forward, that is 
not just the homeland security’s IT budget. It is what agencies who 
have homeland security missions or are supporting homeland secu- 
rity missions, they mark their business cases and say that this is 
in support of homeland security and then what a particular area 
is. So we pull that out of the investments to show where the agen- 
cies were investing their dollars. So it’s not just the Department of 
Homeland Security, but it also reflects what the Department of 
Justice may be doing, what Department of Treasury may be doing 
in the area of homeland security. 

Mr. Putnam. What I’m really asking, and we’re getting there is, 
take CAPPS II for example, it’s not something that everybody in 
America needs or wants or would have or could go out and buy. Ob- 
viously, it’s a very expensive thing to make it all happen. 

So that’s a big ticket item that clearly government is going to 
spend a lot of money to get it right. But of that $27.4 billion de- 
fense and certainly the $22 billion of the other, how much of that 
is just getting the newest Windows system on every extension 
agent’s desk in America for the Department of Agriculture and 
those kinds of things? 

Mr. Johnson. So purchasing an upgraded computer, new, latest 
version of an operating system or Windows or something 

Mr. Putnam. Sure. 

Ms. Evans. I would have to get back to you on the specific of 
what that number is and we have it available because we did ask 
the agencies this year as part of their 2005 submission to send in 
one business case that consolidated all the infrastructure costs 
such as office automation, computer purchases, network, cost, net- 
work infrastructures, so we should be able to pull that and I’d be 
glad to get back to you and give you a specific number of what’s 
related to that. 

Mr. Putnam. I think that would be helpful because when I give 
the Rotary Club speech and I tell people we spend $60 billion on 



53 


this stuff, people are just in shock. And the assumption is that it’s 
because of things related to homeland security, things related to 
defense like CAPPS II or the things that truly are unique, but my 
sense that the majority of it is just when you figure up how many 
employees of the Federal Government we have and all the offices 
we have and everything else, it’s just ordinary upgrade that every 
business in America does in an outfit the size of the Federal infra- 
structure. That’s the real goal here is to see what that is. 

Do you want to add anything? 

Mr. Johnson. Well, I’m going to conjecture. My sense of it is, the 
number that you’re asking about is a gargantuan number, but it’s 
a small percent of the total. 

Mr. Putnam. Thank you. Mr. Clay. 

Mr. Clay. For Mr. Powner, of the many practices that GAO eval- 
uated in its recent report, which rise to the top as the most critical 
for agencies to fix? 

Mr. Powner. Clearly, there were two that require more work. 
One is associated with strategic planning and performance meas- 
urement. As I had mentioned prior, we saw strategic plans in place 
and goals. What we didn’t see was the associated performance 
measures nor processes in place that would actually track those 
performance measures to results. So performance measurement 
would be No. 1. 

Second, when you look at investment management, there was a 
fair amount of rigor on the front end where we had investment 
boards in place and selection processes. We were choosing invest- 
ments based on sound criteria, but once we selected those invest- 
ments, having the appropriate oversight processes in place, those 
were clearly lacking. 

Mr. Clay. Are there any agencies that would have greater chal- 
lenges in managing their IT strategic planning and performance 
practices or investment management practices due to the nature of 
programs they administer? In other words, are some agencies in 
need of more frequent upgrade due to the change in technologies 
or trends? 

Can you identify of them that have some unique issues that 
they 

Mr. Powner. I don’t know if there’s unique issues by agency. I 
think when you look across the board, almost every Federal agency, 
we look at — the FAAs, the DHS — we are really trying to insert 
technology into these organizations. So I would say the majority of 
these organizations are challenged to ensure that we have new 
technologies in place to meet missions. 

Mr. Clay. OK, thank you. Ms. Evans, how does 0MB intend to 
utilize the CIO Council to encourage better IT management across 
the government? 

Ms. Evans. The CIO Council directly in partnership with 0MB 
has two major committees that we use. Actually, there’s three 
major committees, but the two that impact what we’re talking 
about today are the Best Practices Committee as well as the Archi- 
tecture and Infrastructure Committee. 

The Architecture and Infrastructure Committee really works on 
in partnership with us on governance of the overall models that we 
have in place that are leading us to better management of the IT 



54 


as a whole. And then the Best Practices Committee looks at where 
there are pockets of innovation, who has best practices in place and 
then takes those out so that we can then share those across the 
IT community as a whole. 

So both of those committees are very important to ensure that 
we have all that information out to all the CIOs. 

Mr. Clay. Let me ask you, we’ve been talking about information 
management, information security and investment and information 
technology, but we haven’t talked very much about information 
itself 

Most of the systems we are talking about are used to create a 
process, government information. Now some of this information 
should be readily available to the public. I would like to know what 
0MB is doing to assure that these systems make it easier for per- 
manent, public access to government information. 

What happens all too often is that a citizen writes to an agency 
and asks for Document X. The agency writes back that it is going 
to take six people 4 hours each to search through the filing cabi- 
nets to find that document and if you will send us a check for 
$4,000, we will go look for that document. 

What are you doing to make sure this investment improves pub- 
lic access to this information? 

Ms. Evans. Every investment proposal that comes forward, we 
evaluate that investment for interoperability, as well as utilization. 
And the whole focus of the President’s management agenda in the 
tenet of E-Government is a citizen-centered approach. So every- 
thing that we’re doing, along with things that are already existing 
such as the Government Paperwork Elimination Act, even though 
we reported on that, that doesn’t mean that we are not continuing 
our work to eliminate those areas and to automate those trans- 
actions. 

So all those investments are looked at that way to ensure that 
we have transparency and then availability of the Government’s in- 
formation to the public. 

Mr. Clay. Will the public have better access to the documents, 
to the information that they seek, or will it be the same bureau- 
cratic delay that they encounter now? 

Ms. Evans. The answer is yes, they will have better access, yes 
sir. 

Mr. Clay. Thank you, Ms. Evans. Mr. Johnson, has the Program 
Assessment Rating Tool [PART], that has been used for the past 
two budget cycles by 0MB for the evaluation of program perform- 
ance and outcomes offered any insights into the ways in which the 
lack of IT management is impacting the effectiveness of programs 
at the agency level? 

Mr. Johnson. I don’t know the answer to that, but whether it’s 
indicated where there are bit IT gaps, where IT has not been de- 
ployed and should have been. My suspicion is no, it has not identi- 
fied any large IT gaps, but I don’t have a specific answer. 

Mr. Clay. Can you respond back to us in writing? 

Mr. Johnson. I’m sorry, what? 

Mr. Clay. Could you respond back to us in writing? 

Mr. Johnson. Sure. 



55 


Mr. Clay. On that question. Thank you and thank you, Mr. 
Chairman. 

Mr. Putnam. Thank you very much. Let’s talk about the enter- 
prise architecture for a second. 

How have 0MB and the agencies addressed the lines of business 
consolidation opportunities within their submissions and how has 
0MB addressed that — how did the individual agencies address 
lines of business consolidation and how have you addressed it and 
what success have we seen from that? 

Ms. Evans. Each agency, as they go forward in their efforts of 
putting together their enterprise architecture, see the opportunities 
to consolidate and I believe the best example of that right now is 
the Department of Agriculture. They did a very rigorous analysis, 
using their architecture this year before they submitted their fiscal 
year 2005 budget and it resulted in $162 million worth of savings 
within their IT portfolio. 

So that’s a clear example of how an agency has used that inter- 
nally within their own enterprise. That then translates up into the 
overall efforts of where we see investments going along a path, for 
example, of the ones we’ve already highlighted, such as financial 
management and grants management systems and human resource 
systems. And so what we’ve done this year again through the budg- 
et passback process that we have available to us is that we have 
specific levels of effort now, lines of business analysis, as you’ve 
said, that has resulted from us looking at the Federal Enterprise 
Architecture and said we want a very concerted effort looking at 
that, seeing what can be the common solution, how we can move 
forward. 

And what we have done is we have directed the fiscal year 2004 
development and modernization dollars that are associated in these 
lines of business to support that analysis which will then move the 
agencies to the common solution that will be defined by September 
of this year. 

Mr. Putnam. What is it that USDA consolidated to save $162 
million? 

Ms. Evans. They looked at their entire portfolio, everything that 
they were investing IT dollars in and they did a very rigorous anal- 
ysis and tied it in with their overall capital planning and what they 
did was consolidate down their portfolio, so that as they send in 
their business cases they really looked at what is supporting their 
corporate, what is supporting program specific IT investments and 
it resulted in them really taking a hard look at what they were 
going for and asking for in the past and what they were asking for 
this year in fiscal year 2005 and it resulted in $162 million worth 
of savings. 

Mr. Putnam. And did they benefit from any of that savings? 
Were they able to redirect it to other priorities? 

Ms. Evans. The way that this works prior to it coming in, what 
should happen and the way that this should work and the way that 
it does work, it worked at Energy in this way as well is that if the 
agency moves forward and through its budget process they give 
specific guidance that are aligned with the President’s priorities, so 
in the spring, they’ll do a call out to their entire agency and say 
send everything in and align with this guidance. 



56 


Then the departmental offices will evaluate how that aligns very 
similar to the same questions that you’re asking me of how I do 
it on the $60 billion, each agency does it for their piece. Then as 
they go forward there is then a review in the summer that the Sec- 
retaries and the Deputy Secretaries then look at that. 

In this particular case, as Agriculture went forward, there were 
certain targets that we are given by 0MB that each agency is sup- 
posed to have their budget meet. So as we consolidate and have 
saving and realize that we can consolidate or leverage what we al- 
ready have or get an enterprise license for our department as a 
whole, those savings are then reflected within the agency submis- 
sion to meet the target levels that we’ve been given by 0MB. That’s 
how an agency puts together its overall budget. 

So the answer, that’s a long answer to yes, they realize the sav- 
ings because it’s reflected in how they put together their overall 
target numbers that go forward to 0MB for us to review. 

Mr. Putnam. Do you have other success stories like that? Is it 
totaled up, $165 million here, $70 million there, $10 here. Pretty 
soon, it’s real money. 

Ms. Evans. Right, and that’s why we’re going back through each 
portfolio and really working with the agencies through the score- 
card process as well, so that we can really get a handle on what 
the true cost savings are. 

I can tell you from an overall piece of looking at the budget as 
a whole that development and modernization dollars went down by 
5.66 percent this year from 2004 to 2005. So the next logical ques- 
tion you would think is OK, all the maintenance dollars really sky- 
rocketed through the roof because everything that was new is now 
implemented in the separate agencies. 

But there’s only a 3.45 percent increase in steady State dollars. 
So what we’re now starting to see is benefits from the consolidation 
efforts as the agencies are moving forward because their budgets 
reflect how they plan to use the common solutions that are being 
developed under the government initiatives. 

Mr. Putnam. I went through a Coca-Cola Shared Services Center 
in my District that I went through over the Presidents’ Day break. 
They have 400 people, one building, who do all the accounts receiv- 
able, all of the accounts payable, payroll, 80 CPAs doing their tax 
accounting, their financial accounting, all their books for Coca-Cola 
North America. 

They have a sales force that doesn’t have an office to report to, 
they have wireless devices. They visit their clients, the convenience 
store, the restaurant, the mom-and-pop diner, whatever it may be, 
key in the order, no paper. Their hours are paperless. Direct de- 
posit, paperless. Are we even close to getting to that type of effi- 
ciency in the Federal Government? 

Mr. Johnson. I’ve met in the last week with the people in Social 
Security, student loan operation in Education, the IRS, phone oper- 
ation, customer service operation, this isn’t specifically IT, but 
those operations and I’ve referenced that — I compare that to my ex- 
perience in mail order business. Those operations are very, very so- 
phisticated, very sophisticated, very results-oriented. They measure 
everything. They’re very focused on service. They have great use of 
technology. They deploy things here and there and their facilities 



57 


are doing BlackBerries and so forth, but that’s very sophisticated 
use of technology to provide high levels of service. I bet you that’s 
the anomaly in the Federal Government, but there are places 
where technology really lends itself to getting the mission accom- 
plished like that, like in Defense, all the things you see when we 
go to the battlefield. That is extremely sophisticated. So we are 
using — we are deploying very sophisticated IT intensive systems in 
those service operations. Social Security and student loans and so 
forth in the defense world, those things we’re exploring it there. As 
sophisticated as the brainiest people can think of, there are other 
areas where it’s not that sophisticated. 

One of the things I know that Karen’s group looks at is to make 
sure that when we are going from a manual, basically a manual 
operation to a system attached operation, we just don’t systemize 
the manual process. We just don’t get computers to do what human 
beings were doing. We look at that as an opportunity to completely 
change the way we do business and do you really need a copy — 
those kinds of things. 

But with $60 billion and all the things that we do in the Federal 
Government, there’s a wide range, but in some areas it’s as sophis- 
ticated as it can be. 

Mr. Putnam. And this goes back to our question of Ms. Evans 
earlier on our long-term needs. I’m less interested in playing catch 
up with the Federal Government than I am in skipping generations 
of technology and getting us where we need to be. So if INS doesn’t 
have enough computers, maybe they don’t need to buy more desk 
tops. Maybe we need to have Border Control agents who have wire- 
less devices that are beaming at real time so that we have a better 
sense of what’s going on. And the Defense example is an outstand- 
ing example, because it represents the best and the worst of the 
Federal Government. 

We are so good, so effective and ought to be so proud of how we 
can move things from the laboratory to the battlefield and then 
into the commercial sector. You know, GPS. Everybody in Elorida 
has a $99 hand held GPS and they’ve got 4,000 lobster and grouper 
holes programmed into it. That’s a rapid movement of technology 
because of the Eederal Government. 

And then if you look at the rest of the DOD, they can’t find $1 
trillion worth of stuff and they’ve got an ancient. Stone Age pro- 
curement and personnel and payroll system and all of this other 
stuff. It’s just abysmal. You’ve got the best and the worst all in the 
same five-sided building and so that’s where I’d like to see us go. 
Instead of focusing on let’s catch everybody up and make sure that 
we’re fine with 2003 computers, let’s get them to the next step. 

Mr. Johnson. I’m not a defense specialist by any stretch of the 
imagination, but I know there’s been a lot of talk about skipping 
generations of technology in the defense world and because of these 
major weapons systems it does take 10, 20, 30 years oftentimes to 
bring them to full utilization and by then the technologies change 
dramatically and so, a lot of attention is being paid to that at the 
Defense Department. 

Mr. Putnam. I’m going to keep going. Ms. Evans, I understand 
that you have developed a new way to fund the Government 



58 


through GSA surplus revenues. Could you discuss this a little bit 
further for us? 

Ms. Evans. Well, the way that the President’s budget is put to- 
gether this year for fiscal year 2005 is that we have the $5 million 
that we’re going back and asking for that. That has been previously 
appropriated, not this year. We got $3 million, but the previous 
year we had $5 million. 

We’re looking to use surpluses in the GSA supply fund and the 
thought process behind that was that fund is built on transactions 
that occur from the agencies as GSA does services for them. And 
since the E-Government Fund is really to then go back and rein- 
vest into the agencies and really serve as an innovation fund simi- 
lar to what like a venture capitalist fund would be like, then we 
thought that the agencies should be able to benefit from the dollars 
that they’ve already spent and then reinvest back into the agencies 
so that they would then be able to move forward with the common 
solution, whatever a pilot program may be. And use that as we 
have the formal budget process, catch up with the planning and the 
execution of the long-term solution. 

Mr. Putnam. So you do see that as potential long-term solution, 
not just a 1-year event. How successfully have we ingrained in IT 
managers’ and CIOs’ minds the importance of building 
cybersecurity into their new systems and how would you rate 
where we are on that? 

Ms. Evans. That is actually highlighted as well in the fiscal year 
2005 budget. It’s in the chapter associated with information tech- 
nology and we did set a specific goal for ourselves of trying to 
achieve that which was again 80 percent of the systems would have 
that appropriately budgeted for in the life cycle. To date, we’re just 
slightly over 60 percent and so we are still targeting to have 80 
percent of the major systems have cybersecurity budgeted for it. So 
we are still shooting for that target. We missed it for the calendar 
year, but we are pushing the agencies forward for that. 

Mr. Putnam. And is there a common approach to cybersecurity 
for all the new systems? Obviously, it varies by mission but when 
a — walk me through the process of governmentwide what the reac- 
tion is when a new virus or worm is identified and begins to move. 
How quickly can the entire Federal Government either apply the 
new patch or take the appropriate measures to protect their sys- 
tems? How quickly can we get that information out there and how 
consistent is our response? 

Ms. Evans. We work very closely with the CIO Council and as 
well as with DHS and as DHS has moved forward, they actually 
have now taken over what is FedCIRC. And so FedCIRC then noti- 
fies the agencies and there are multiple levels of which they get no- 
tification that there is a new virus out there. 

And so then what will happen is to ensure that we hit at all lev- 
els and I’m sure that you’re aware that DHS has also started a 
new forum which will complement the CIO Council which is the 
Chief Information Security Officers Forum, to then continue to talk 
about best practices to do that. But it does vary from agency to 
agency, depending on what types of services they have in place and 
how those operations from a corporate level, as well as by program 
specific level, within an agency are handled. 



59 


So if they have a very centralized approach, then the dissemina- 
tion of a patch can happen very quickly. If they have a very decen- 
tralized approach, then it takes a little bit longer for the CIO and 
the Headquarters Operation to have full accounting of how a patch 
is applied. 

Mr. Putnam. I guess what concerns me is the number of agencies 
and departments out there who don’t know everything they have. 
So even if everybody is doing everything they can you still have a 
pretty gaping hole in your readiness, don’t you? Because people for- 
get about the server that’s out in Iowa or down in Florida, that all 
of these machines that over the years have accumulated and are 
still on the network that just don’t know where they are according 
to, at least, our scorecard and FISMA. 

Ms. Evans. Well, cybersecurity is multi-tiered. The way that you 
manage the cybersecurity posture of a department or the govern- 
ment as a whole is very — it’s multi-tiered. So applying a patch or 
when there’s things dealing with viruses, those are very techno- 
logical types of approach. But cybersecurity starts at day 1 when 
an employee enters into the Federal work force. Or, if an employee 
enters into any type of facility, there is a whole piece associated 
with cybersecurity that deals with education and how best to se- 
cure your own asset. So even though as you said, there’s huge gap- 
ing holes of how we manage from a centrally postured type of ap- 
proach, each person is responsible again and has responsibilities to 
management their portion or their asset going forward. 

So if I’m an individual system administrator down in a field of- 
fice operation that may be a CIO may not know that my particular 
server is there, based on the way our security programs work and 
our education programs work within the Department, I am respon- 
sible as the system administrator to ensure the cybersecurity pos- 
ture of the resources that have been assigned to me. 

So that is done and that education is done as new employees 
come and that level of education is commensurate with the level of 
responsibility that you have for your Federal assets. 

Mr. Putnam. How safe — excuse me, how comfortable are you 
with our access management issues in terms of being able to get 
on to the systems as a new employee. How long does it take to 
process that new name in the system and give them access to the 
things they need to have access to and only the things that they 
need to have access to. How are we dealing with access manage- 
ment? 

Ms. Evans. That is now currently being reviewed. And it always 
can improve because as you also probably know that 80 percent of 
security vulnerability in types of attacks and all types of things 
that happen, usually happen internally. They don’t normally come 
from the outside; 80 percent of the problems are internal and usu- 
ally are related to education of employees or unauthorized access. 

0MB did release in December of this year guidance out to the 
agencies to really look at the process to go forward to support our 
E-Authentication Initiative which talks about identity management 
as well as authorized access. And it’s asking the agencies to look 
at each of the systems that are in place, what level of access do 
they really need to have and then go forward to ensure that there’s 
adequate security that’s in place with that and they have to report 



60 


back to us on that for their major systems. I believe it’s at the end 
of this year. And then do the rest of the systems. But this is all 
in support of what the question that you’re asking right now. We 
need to make sure that the agencies have a good handle as an em- 
ployee comes on board that based on — is that the right employee, 
do they have the right clearances and then are they authorized to 
access those systems and that’s what we’re working with the agen- 
cies now on. 

Mr. Putnam. And conversely, how quickly can we terminate their 
access? 

Ms. Evans. Right, absolutely and that is all part of the same 
process. 

Mr. Putnam. I’m also reminded that we have in October, some- 
what related to your role, a deadline for foreign visitors to this 
country, that if they don’t have a passport with a biometric they 
will have to get a visa to come in, even from current nations who 
are visa-waiver nations and that has Floridians and the tourism in- 
dustry a little bit concerned because they don’t think that too many 
countries are going to be in that position and frankly, our country 
with our passports, are a long way in being in that position, and 
so from a management inside of 0MB that’s an issue that all of us 
are going to have to deal with as we move forward. 

Mr. Clay, do you have any additional questions or comments? 

Mr. Clay. I have no further questions. 

Mr. Putnam. Do you all have anything that you would like to 
add that we haven’t dealt with or anything that you’d like to men- 
tion? 

Mr. Johnson. Just one comment, one of you used the phrase a 
minute ago about that even though an agency might be doing all 
that it can, we try not to fall back on. We’re working as hard as 
we can. We’re doing everything possible. That’s not — it’s like 
there’s not a CIO that should not be an excuse. We’re working as 
hard as we can. That should not be an excuse. 

We should have a definition of success in a given timeframe. We 
want to be 80 percent secure by a certain date. That’s our goal. 
And if we don’t have the resources to do that, we need to get those 
resources. 

When we say that we’re at 60 some off percent security now, 
some agencies are 90 plus. Some are at 30. It’s not that they’re all 
hovering around 60. There is a wide disparity in security here and 
there’s no excuse why some of those agencies that are in the 30’s 
are there and we need to make sure they get caught up. 

Mr. Putnam. We’re certainly prepared to do whatever it takes to 
help you get them there. We appreciate your efforts. 

Ms. Evans, Mr. Powner, thank you very much, this has been a 
good hearing and we stand adjourned. 

[Whereupon, at 3:22 p.m., the hearing was adjourned.] 

o 



